Trump Hotels and Management LLC has paid the price for failing to implement robust security controls to secure its POS system from cybercriminals.
The hotel chain, which is headed by Donald Trump and run by three of his children, has been fined $50,000 by the New York Attorney General for a data breach that exposed the credit card details and personal information of over 70,000 guests in 2015.
Banks conducted an investigation following a spate of fraudulent credit card transactions last year, and determined that the common denominator was all of the victims had previously stayed in Trump-owned hotels. In all of the cases, Trump Hotels was the last merchant to process a legitimate card transaction, indicating there had been a breach of credit card details at the hotel chain.
A further investigation revealed that the POS system used by 5 Trump hotels in Chicago, Las Vegas, and New York had been infected with malware. The malware was installed on the credit card processing system in May 2014 and access to the system was gained using legitimate domain administrator credentials. The malware was able to capture the payment card information of guests.
The fine, which was announced by New York Attorney General Eric Schneiderman on Friday, was issued for the failure to adequately secure its systems and for the delay in issuing breach notifications to consumers. Trump Hotels did place a breach notice on the company website, but it took 4 months for that notice to be uploaded – a breach of state laws in New York.
Schneiderman explained “It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law.”
A spokesperson for Trump Hotels explained that the hotel industry is under attack by cybercriminals looking to gain access to guests’ credit card details. “Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations including almost every major hotel company.”
Other notable hospitality industry breaches include the cyberattack on Hyatt hotels and Starwood Hotels & Resorts Worldwide. The Hyatt breach affected 250 hotels, while the Starwood breach resulted in the POS systems of 54 hotels being loaded with malware.
Cyberattacks are to be expected; however, security controls at Trump Hotels appear to be insufficient. A second credit card system data breach was discovered to have affected the hotel chain in March this year. Investigators discovered malware had been installed on 39 computer systems used at various locations.
In addition to the $50,000 fine, Trump Hotels has agreed to adopt a corrective action plan which requires additional security controls to be installed to prevent future data breaches.
It may not be possible to prevent all cyberattacks but, with the hospitality industry coming under attack, it is essential that security controls are implemented that prevent the installation of malware. Keyloggers and other information stealing malware are usually delivered via spam email or are unwittingly downloaded from malicious websites.
In order to prevent infections via email, hotel chains can implement a robust spam filter. Web-borne infections can be prevented using a powerful web filtering solution to block malware downloads.