pixel_dreams - Fotolia

Trump hotel group investigates payment card breach

Financial sector sources say a pattern of payment card fraud indicates hackers have breached payment systems at some, and possibly all, Trump Hotel Collection properties

The Trump Hotel Collection is investigating a possible payment card data breach, which, if confirmed, will be the group’s second in less than a year.

The hotel group, tied to controversial businessman and Republican presidential candidate Donald Trump, said that like most other businesses, it is routinely targeted by cyber attacks.

“We are in the midst of a thorough investigation on this matter,” the company said in a statement. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

The potential breach was first reported by security writer Brian Krebs, who was contacted by three unnamed financial sector sources.

According to the sources, a pattern of fraud on customer credit cards indicates that hackers have breached credit card systems at some, and possibly all, hotels in the group.

Krebs reported that the fraud-linked cards were used at several Trump Hotel properties in the past two or three months, including Trump International Hotel New York, Trump Hotel Waikiki in Honolulu and the Trump International Hotel and Tower in Toronto.

In October 2015, the Trump Hotel Collection confirmed that its payment systems had been infected with data-stealing malware in May 2015, after Krebs first reported the suspected breach in July 2015.

The hotel group was one of several hit by malware in their point-of-sale (PoS) systems in 2015, including the Hilton Worldwide group, the Mandarin Oriental group, Hard Rock’s Las Vegas Hotel & Casino, the Las Vegas Sands Casino, and Starwood Hotels, which owns Sheraton and Westin.

Tod Beardsley, security research manager at Rapid7, said that although causes of the suspected breach could range from a disgruntled insider to a breach of core IT systems, the most likely cause is another compromise of the PoS systems.

“I would be surprised if the techniques used by the attackers in this case were substantively different from those used against Starwood and Hilton,” he said. “We have seen that in the hotel industry, the PoS systems are generally the weakest link in the IT chain, and technically savvy criminal organisations have clearly figured this out.”

Retail companies, hotel chains and restaurants should examine their PoS installations for common misconfigurations and exposures, such as default and easily guessed passwords, outdated software and poor network segmentation, said Beardsley.

Read more about PoS malware

Chris Webber, security strategist at Centrify, said an attack on the hotel group would not be surprising given the amount of public attention on Donald Trump himself, as well as the general fact that hotels are a popular target for attackers.  

“One thing we can be sure of is that Trump is a target for both hacktivists and financially-motivated attackers,” he said.

However, despite Trump being a “polarising” figure, Webber said all businesses need to recognise that they are targets of cyber criminals.

“They also need to recognise that their defences are only as strong as their weakest password, and if they continue to rely on passwords for protection, they should all expect to be breached,” he said.

According to Financial Fraud Action UK’s latest annual report, losses on UK cards totalled £567.5m in 2015, a rise of 18% from the previous year. The largest proportion of card fraud losses was due to remote purchase fraud (70%), followed by lost and stolen cards (13%), counterfeit cards (8%) and card ID theft (7%).

Remote purchase fraud, including e-commerce fraud, accounted for losses of £398.2m, up 20% from the previous year in value and up 17% in volume.

Remote purchase fraud mainly involves fraudsters using card details stolen though data hacks and malware, while counterfeit card fraud occurs when a fake card is created by criminals using compromised details from the magnetic stripe of a genuine card.

This typically occurs when criminals steal details from a UK-issued card that is then used to make a fake magnetic stripe card for use overseas in countries yet to upgrade to Chip and PIN.

However, because of an increased roll-out of Chip and PIN technology around the world, counterfeit card fraud losses fell by 5% to £45.3m in 2015, but losses continue to be relatively high in the US, which is still moving to Chip and PIN cards.

Read more on Hackers and cybercrime prevention