Guests at 14 Trump properties across the US and parts of Canada have had their credit card information exposed for the third time in as many years.
A letter posted on the Trump Hotels corporate website explained that the chain is the latest victim of the hackers that broke into the Sabre SynXis Central Reservations System, which facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies and similar booking services.
In the notice, the Trump organization said that the last access to consumer information at the affected properties was on March 9. The unauthorized party was able to access payment card information including cardholder name, payment card number, card expiration date, and potentially card security codes. In some cases, the unauthorized party also was able to access guest name, email, phone number, address and other information.
Hackers were able to remain undetected on the Sabre network for seven months, stealing data between August 2016 and March 2017. It’s a widely used reservation system, and it’s unclear how many of its customers were impacted. In the last few days it has come to light that the Four Seasons, Hard Rock properties and Loews were all victims, and it’s likely that other properties will emerge as well.
"How widespread the Sabre breach was won't be known for several months,” said Michael Magrath, director, Global Regulations and Standards, VASCO Data Security. “Four Seasons, Loews and Hard Rock may just be the top of the iceberg. It often takes over 4 months for organizations to discover a breach. Cybercriminals continue to penetrate under secure systems, often targeting usernames and static passwords or compromising unsecure mobile applications. Organizations must deploy multifactor authentication as part of an overall layered security approach. Additionally, mobile application shielding with RASP technology should be considered."
Sabre, however, is not the only one to blame. After all, seven of the luxury hotels owned by then-presidential candidate Donald Trump were infected for more than a year, between May 2014 and June 2015, with payment info-stealing malware. The compromise affected transactions at the front desk of the hotels, hotel restaurants and gift shops. A second breach then came to light in April 2016.
“As we’ve seen with the Oracle-MICROS breach late last year and now the Sabre Hospitality Solutions breach, the hospitality industry has been hit particularly hard by third-party breaches, as hackers have aggressively and effectively targeted hotels’ service providers to access customer data,” said Fred Kneip, CEO, CyberGRX, via email. “That this is the third breach in as many years for Trump Hotels demonstrates that hospitality industry is falling short when it comes to identifying which third parties pose the greatest risk. The methods companies use to assess, manage and mitigate third-party cyber risk need to evolve along with the threats they face.”
Lisa Baergen, director at NuData Security, told us that the impact of the situation goes far beyond the stolen credit card numbers.
"Whenever personally identifiable information (PII) is compromised by a third-party provider, such as Sabre, the looted consumer data can be made available to be cross-correlated with details from a plethora of other breaches and social platforms to create comprehensive digital identities,” she said. “These full packages of identity information are more valuable to hackers, rendering the potential victims susceptible to fraud, identity theft, account takeovers. And for the brands themselves, likely that these impacted consumers will be potentially less loyal to their brands of choice.”