The Trump Hotel Collection - a small group of luxury properties - has suffered a data breach that has involved guest credit card data, according to a report from respected security blogger Brian Krebs.
Big questions immediately arise: Is the attack politically motivated? How does it impact Trump guests? How does it impact guests at any hotels?
The last question arises, because hotels have suffered an epidemic of data breaches in the past couple years. Hilton, Starwood, Hyatt and management company White Lodging (which runs many Marriotts) have all acknowledged significant data breaches involving guest information. If you stay at hotels you have to be cognizant of the risks. They are under assault by cyber criminals.
As for the political implications, that question gets asked, because hacktivist group Anonymous in mid-March declared a “total war” on Trump and his companies. Did this organization hack Trump’s hotels? Nobody knows. Anonymous has not issued a statement saying it had. And, said Canh Tran, CEO of Chicago based data breach monitoring firm Rippleshot, his hunch is that Anonymous is not behind this incident. Tran says the evidence is not decisive. But, he said, usually it takes up to eight months for a breach to be detected, which means this Trump Hotel breach probably dates back to summer 2015, long before the Anonymous threat.
Krebs said he contacted Trump, because banking industry sources told him there was evidence of a breach at at least some Trump hotels. The company did not confirm or deny a breach. Here is what it told Krebs in a written statement: “We are in the midst of a thorough investigation on this matter. We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.” (The Trump Hotel Collection had not responded to a request for comment by TheStreet.)
Last summer Trump’s hotels definitely suffered a data breach. The company created a website to address the issue. It explained: “Between May 19, 2014, and June 2, 2015, we believe that there may have been unauthorized malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels managed by the Trump Hotel Collection. For those customers that used credit or debit cards to make purchases during this time, we believe that the malware may have affected payment card data including payment card account number, card expiration date and security code.”
Trump's hotels may have special security vulnerabilities that go beyond the political candidate's celebrity. “In the SecurityScorecard platform Trump Hotel Collection is a C - 72% - compared to peers in the hospitality industry," said Sam Kassoumeh, COO at SecurityScorecard, a company that grades the IT security of organizations. "The security hygiene score is bordering a D letter grade - quite poor.”
Nonetheless, the industry as a whole has a terrible record for security, as witness the many breaches over the past few years. Why so many? “There are reasons why hotels are juicy targets [for hackers] - travelers don’t look at their expenses that carefully,"Tran said. "There are lots of point of sale terminals at hotels and many have vulnerabilities.” Think gift shops, restaurants and bars.
Tran added the zinger: “Hotels collect a lot of your personal info, to market to you. Hackers don’t just want a credit card. They want more information. At a hotel, they get your home address.”
That is gold to a hacker. A credit card number - just a number - has little value on criminal black markets. Add in a zip code and its value multiplies, because credit card security often rejects a purchase based on geographic unlikeliness. Present a Phoenix card at a big box store in Detroit to buy two big screen TVs, and unless that card has a history in Michigan, it could easily be declined. Present it in Phoenix and - even if it has no history in big boxes - if it has credit availability - it’s a sale.
So hackers like hotels because as a group - not just Trump but the industry - there are lots of poorly tended terminals, and when a hacker gets in, he gets much more than card numbers.
Experts are adamant: the attacks will continue until hotels significantly strengthen their defenses.
The money question: what can you do to protect yourself?
Some experts caution against using credit cards at hotels and, good as that advice may be, it is impractical. Most hotels require a credit card on check in.
“Monitor your accounts," said Gary Davis, chief consumer security evangelist at Intel Security. "Keep an eye out for suspicious activity in your transaction log. Daily monitoring of your accounts will help you see the first signs of a potential account takeover, and help you take quick action.”
Other advice: do not use debit cards in hotels, said Ryan Kalember, senior vice president at security company Proofpoint. Consumer protections on debit cards are lots weaker than on credit cards. Stick with credit cards and, very probably, your next hotel stay will be financially uneventful, no matter what hackers do.