Card Data at Trump Hotels, Among Others, Breached Again.
Byline: Roy Urrico
Obscured by other July headlines was news that Trump Hotels, along with Four Seasons, Hard Rock Hotels & Casinos and Loews Hotels, announced a security breach may have unleashed customer data.
All the incidents related to Sabre Hospitality Solutions', the multinational travel industry titan, which alerted hotels about an apparent breach of its software-as-a-service SynXis Central Reservations system that could affect 36,000 properties, customers' payment card data and personal details.
KrebsOnSecurity first reported in May that Southlake, Texas-based Sabre in a quarterly filing with the U.S. Securities and Exchange Commission said it was investigating an incident of unauthorized access to payment information contained in a subset of its hotel reservations system. Last week, Trump International Hotels disclosed the SABRE breach impacted at least 13 Trump Hotel properties between August 2016 and March 2017.
For the Trump hotels, it was the third credit-card data breach in the past two years. Other hotel chains that disclosed data leaks in the Sabre breach included 11 Hard Rock properties (an additional chain victimized by multiple card breaches); Four Seasons Hotels and Resorts; and at least two dozen Loews Hotels in the United States and Canada.
According to VerizonCys latest annual Data Breach Investigations Report, malware attacks on point-of-sale systems are absolutely rampant. "Point of sale (POS) environments continue to provide rich pickings for the bad guys, with nearly 98% of all recorded POS attacks resulting in a confirmed data breach. The focus of attacks has shifted from hotel chains to restaurants and small businesses."
"These attacks can go undetected for several months to over a year," said John Christly, global chief information security officer for Netsurion and EventTracker, said. "We're not seeing a lot of hotels focus on security the way we'd like them to, but with the proper technology, hacks like this can be stopped before they even happen. The essentials include a managed firewall, file integrity monitoring, unified threat management appliances, SIEM, managed detection and response, and next-generation endpoint security."