Radisson Hotel Group has become the latest big brand in the sector to suffer a data breach, after admitting that a "small percentage" of loyalty club members had their personal information accessed by an unauthorized person.
The notification statement is worded in such a way as to hint that the attacker may have gained access first to staff accounts, which in turn exposed the customer data.
“Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior,” it noted.
Although the breach didn’t affect credit card or password information, it did expose Radisson Rewards member names, addresses, email address, and in some cases, company names, phone numbers, Radisson Rewards member numbers and frequent flyer numbers.
That could be useful for “specific, low incidence, criminal use cases” according to Ross Rustici, senior director of intelligence services at Cybereason.
“Unlike a large-scale credit card breach, the most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high net worth or people with specific access to something,” he continued. “This type of information is far more useful for an intelligence targeting package than for large-scale monetization."
Given that the chain operates under numerous brands with 1400 hotels all over the world, the GDPR is likely to come into play here.
That could spell trouble, given the firm said it identified the incident on October 1, almost a month before notifying.
“Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” said Rustici.