Trump International Hotels Management is now the latest in a series of hotel and resort chain operators to inform customers that their card payment data was compromised due to a breach at third-party hospitality solutions provider Sabre Corporation.
Hard Rock Hotels & Casinos, Loews Hotels, and Four Seasons Hotels and Resorts have also made such declarations over the last week, following the May 2017 announcement that an authorized attacker gained access to Sabre’s Hospitality Solutions SynXis Central Reservations system, which handles bookings for the resorts. In all four of these cases, the hospitality company issued an online statement warning customers that reservations processed through SynXis from August 10, 2016 through March 9, 2017 were affected.
In their various statements, the hotels say Sabre contacted them about the incident on either June 5 or 6, 2017. A statement published by Loews Hotels said that compromised information included cardholder names, payment card numbers, and card expiration data and security code, and in some cases guest names, email addresses, phone numbers, addresses and other information.
Trump Hotels’ statement uses the same language from the Loews statement, nearly word for word, and lists 14 affected properties: Trump Central Park, Trump Chicago, Trump Doonbeg, Trump Doral, Trump Las Vegas, Trump Panama, Trump Soho, Trump Toronto, Trump Turnberry, Trump Vancouver, Trump Waikiki, Trump DC, Trump Rio De Janeiro and Albemarle Estate.
Various news outlets have reported that this is the third known data breach involving Trump hotels since 2014. In September 2016, New York Attorney General Eric Schneiderman announced that Trump International Hotels Management agreed to pay more than $500,000 in fines following the exposure of 70,000 credit card numbers resulting from several breaches.
“That this is the third breach in as many years for Trump Hotels demonstrates that hospitality industry is falling short when it comes to identifying which third parties pose the greatest risk,” said Fred Kneip, CEO at cyber risk management company CyberGRX. “The methods companies use to assess, manage, and mitigate third-party cyber risk need to evolve along with the threats they face.”
Hard Rock has experienced a previous breach as well: In June 2016, the Hard Rock Hotel & Casino in Las Vegas disclosed that customer payment data was stolen and used fraudulently after an attacker installed POS malware on its systems. The malware was active from Oct. 27, 2015 through March 21, 2016.
This time around, Hard Rock said that 11 of its hotels were victimized: Hard Rock Hotel & Casino Biloxi, Hard Rock Hotel Cancun, Hard Rock Hotel Chicago, Hard Rock Hotel Goa, Hard Rock Hotel & Casino Las Vegas, Hard Rock Hotel Palm Springs, Hard Rock Hotel Panama Megapolis, Hard Rock Hotel & Casino Punta Cana, Hard Rock Hotel Rivera Maya, Hard Rock Hotel San Diego and Hard Rock Hotel Vallarta.
Loews cited 21 impacted properties: Beach House Suites by The Don CeSar, Hotel 1000, Loews Annapolis Hotel, Loews Atlanta Hotel, Loews Boston Hotel, Loews Chicago Hotel, Loews Chicago O’Hare Hotel, Loews Coronado Bay Resort, Loews Don CeSar Hotel, Loews Hollywood Hotel, Loews Hotel Vogue, Loews Madison Hotel, Loews Miami Beach Hotel, Loews Minneapolis Hotel, Loews New Orleans Hotel, Loews Philadelphia Hotel, Loews Regency New York Hotel, Loews Regency San Francisco Hotel, Loews Santa Monica Hotel, Loews Vanderbilt Hotel and Loews Ventana Canyon Resort.
The Four Seasons’ online statement consists primarily of a letter provided by Sabre and does not list specific hotels or resorts hit by the breach.
The hotel chains also emphasized that their own systems were not breached in the attack. Only customers who made reservations via Sabre’s service would have been impacted.
Michael Magrath, director of global regulations and standards at VASCO Data Security, said that there very well could be more announcements to come. “How widespread the Sabre breach was won’t be known for several months. [These incidents] may just be the top of the iceberg,” said Magrath. “Cyber criminals continue to penetrate under secure systems, often targeting usernames and static passwords or compromising unsecure mobile applications.”
It was also previously reported that the details of some Google employees were left exposed by the breach, after the search engine company’s travel management company Wagonlit Travel was affected.