Guests at 14 Trump properties, including hotels in Washington, D.C., New York and Las Vegas, have had their credit card information exposed, marking the third time in as many years that a months-long security breach has affected customers of the chain of luxury hotels.
The latest instance occurred between August 2016 and March 2017, according to a notice on the company’s website, and included guest names, addresses and phone numbers, as well as credit card numbers and expiration dates. The breach took place on the systems of Sabre Hospitality Solutions, a reservation booking service used by Trump Hotels, but did not compromise the Trump Hotels systems.
“The privacy and protection of our guests’ information is a matter we take very seriously,” the notice said, adding that Trump Hotels was notified of the breach June 5. Trump Hotels declined to comment beyond what was posted in the notice.
The news of the latest cybersecurity attack comes less than a year after Trump International Hotels Management paid $50,000 in penalties to New York state for failing to notify customers immediately after data breaches in 2015 led to the exposure of more than 70,000 credit card numbers and 300 Social Security numbers. The company also agreed to update its security practices as a result of the settlement.
Security analysts say hotel chains have lagged behind many other businesses in protecting their networks and have been hit particularly hard by cyberattacks in recent years because they tend to have massive swaths of personal data and credit card information across multiple properties. Earlier this year InterContinental Hotel Group said customer credit card data had been compromised at more than 1,200 of its properties, including Holiday Inn and Crowne Plaza hotels, over a three-month period.
“Why are hackers targeting hotels? Well, because they’re a good target,” said Peter Singer, a senior fellow at the New America Foundation, a centrist think tank. “Then you look at Trump’s hotels, and they’re obviously a highly symbolic target.”
“If more people are staying there in an attempt to curry favor with the government, the fishing pool of targets is certainly greater than it was prior to November,” he said.
Attackers first infiltrated Trump Hotels’ payment processing system in May 2014, installing malware on the company’s networks to mine customers’ credit card information, according to an investigation cited by Eric Schneiderman, New York’s attorney general. Trump Hotels was informed of the breach in June 2015 but did not post a notice on its website until four months later, according to Schneiderman.
A second breach took place beginning in November 2015, when malware was installed on 39 systems affecting five Trump hotels, according to investigators. Four months later, in March 2016, an attacker tapped into a legacy payment system that included personal information of Trump hotel property owners, including the names and Social Security numbers of more than 300 people.
“It seems very negligent that this could happen a number of times,” said Justin Cappos, a systems and security professor at New York University. “These patterns of oversight are a huge problem.”
In the most recent breach, less than 15% of daily bookings on the reservation system during the seven-month period were compromised, according to a Sabre spokesman. Other affected hotels include 11 Hard Rock Hotel & Casino properties and 21 Loews Hotels. It is not uncommon, analysts said, for breaches like these to span many months.
“These things can go undetected for several months to over a year,” said John Christly, chief information security officer for Netsurion, a network security provider. “We’re not seeing a lot of hotels focus on security the way we’d like them to, but with the proper technology, hacks like this can be stopped before they even happen.”
In May, ProPublica and Gizmodo found that a number of Trump properties — including the Mar-a-Lago resort in Palm Beach, Fla., where the president regularly spends his weekends — had less-than-secure wireless networks. “We could have hacked them in less than five minutes,” reporters at those sites wrote, “but we refrained.”
That same month, President Trump signed an executive order on cybersecurity that holds federal agency heads accountable for cybersecurity risks and breaches in their networks. “The executive branch has for too long accepted antiquated and difficult-to-defend IT,” the order said.
“We’ve seen increasing attacks from allies, adversaries — primarily nation-states, but also non-nation-state actors,” Thomas Bossert, Trump’s homeland security advisor, said in a White House briefing at the time. “Sitting by and doing nothing is no longer an option.”
Bhattarai writes for the Washington Post.