Cyber-thieves gained access to guests’ credit card details for eight months’ worth of reservations made at President Donald Trump’s luxury hotel chain. Hackers attacked 14 properties but were unable to breach internal systems, the hotel said.
Trump Hotels said in a notice posted on its website: “The privacy and the protection of guests’ information is a matter we take very seriously.”
The company’s service provider, Sabre Hospitality Solutions, notified the hotels about the cybersecurity attack on June 5, Trump Hotels said.
The breach happened at the central reservation system, which takes bookings through hotels, online travel agencies and other booking services, and affected 14 Trump properties including the Trump International Hotel in Washington, DC. Other hotels were in New York, Washington state and Vancouver, Canada.
Hackers were able to retrieve guests’ names, emails, phone numbers, addresses and other information.
Trump Hotels did not mention in its notice how many guests were affected in the cybersecurity attack.
“The investigation found that the unauthorized party first obtained access to Trump Hotels-related payment card and other reservation information on August 10, 2016. The last access to this information was on March 9, 2017,” Trump Hotels said.
“Information such as Social Security, passport and driver’s license number were not accessed,” it added.
The hack is the third time a months-long security snafu has affected guests of the chain of luxury hotels.
The attack comes less than a year after Trump International Hotels Management paid $50,000 in penalties to New York state for failing to notify customers immediately of an earlier data breach. The 2014 breach led to the exposure of more than 70,000 credit card numbers and 300 Social Security numbers, according to the Washington Post.
Trump Hotels agreed to update its security practices as a result of the agreement.
Hotel chains have lagged behind many other businesses in protecting their networks, security analysts told the Washington Post.
Earlier this year, the InterContinental Hotel Group said guests’ credit card data had been compromised at more than 1,200 of its properties, including Holiday Inn and Crowne Plaza hotels, over a three month period.
The InterContinental hotel group said malware searched for track data – cardholder name, card number, expiration date and internal verification code – and read from the magnetic stripe of a payment card as it was being routed through the affected hotel server.
In 2015, hackers breached the reservation system for nearly a year at seven Trump hotels, among them properties in Miami, Florida; Chicago, Illinois; Las Vegas, Nevada; and New York.
Following that attack, Trump Hotel Collection removed the malware that infected its point-of-sale terminals and was reconfiguring its network to make it more secure, the company said.
ProPublica and Gizmodo found that a number of Trump properties, including the Mar-a-Lago resort in Palm Beach, Florida – where the president regularly spends his weekends, and he has hosted foreign heads of state – had less-than-secure wireless networks.
In May, Trump signed an executive order on cybersecurity designed to hold the heads of federal agencies accountable for cybersecurity risks and breaches in their networks.
“The executive branch has for too long accepted antiquated and difficult-to-defend IT,” the order said.
“We’ve seen increasing attacks from allies, adversaries, primarily nation states, but also non-nation state actors,” Thomas Bossert, Trump’s homeland security adviser, said in a White House briefing at the time. “Sitting by and doing nothing is no longer an option.”