Trump Hotels and Management LLC has suffered for not implementing stronger robust security measures to safeguard its POS system from hackers.
The hotel group, which is headed by Donald Trump and by ona day-to-day basis run by three of his children, has been hit with a $50,000 penalty by the New York Attorney General for a data breach that exposed the credit card details and personal data of over 70,000 guests in 2015.
Banks carried out an investigation following a number of fraudulent credit card transactions in 2015, and found that the common denominator was all of the victims had previously stayed in Trump-owned hotels. In all instances, Trump Hotels was the last merchant to complete a legitimate card transaction, showing there had been a breach of credit card details at the hotel chain.
A further investigation showed that the POS system used by 5 Trump hotels in Chicago, Las Vegas, and New York had been infiltrated with malware. The malware was downloaded on the credit card processing system in May 2014 and access to the system was obtained using legitimate domain administrator credentials. The malware was able to record the payment card information of guests.
The fine, which was revealed by New York Attorney General Eric Schneiderman on Friday, was issued for the failure to properly secure its systems and for the delay in sending out breach notifications to consumers. Trump Hotels did publish a breach notice on the company website, but it took 4 months for that notice to be uploaded – a violation of state laws in New York.
Schneiderman stated “It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law.”
A representative for Trump Hotels explained that the hotel industry is under attack by cybercriminals looking to obtain access to guests’ credit card details. “Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations including almost every major hotel company.”
Other notable hospitality industry violations include the cyberattack on Hyatt hotels and Starwood Hotels & Resorts Worldwide. The Hyatt breach impacted 250 hotels, while the Starwood breach lead to the POS systems of 54 hotels being loaded with malware.
Security measures at Trump Hotels appear to been inadequate. A second credit card system data breach was found to have affected the hotel chain in March this year. Investigators found malware had been downloaded on 39 computer systems used at various locations.
Along with the $50,000 fine, Trump Hotels has agreed to put in place a corrective action plan which requires additional security controls to be downloaded to stop future data breaches.
It may not be possible to stop all cyberattacks but, with the hospitality industry coming under the sharp focus of hackers, it is important that security controls are in place that stop the installation of malware. Keyloggers and other data stealing malware are usually delivered via spam email or are unwittingly installed from malicious websites.
In order to stop infections via email, hotel chains can put in place a strong spam filter. Web-borne infections can be stopped by using a powerful web filtering solution to prevent malware downloads.