BuzzFeed News

Reporting To You

tech

Trump Hotels Kept Their Customers' Credit Card Hack Secret For Months

Trump Hotel Collection has settled with the New York Attorney General for taking too long to tell customers that their personal data had been stolen from its system.

Last updated on September 23, 2016, at 6:21 p.m. ET

Posted on September 23, 2016, at 5:22 p.m. ET

Republican presidential nominee Donald Trump speaks during a campaign rally September 22, 2016 in Aston, Pennsylvania.
Mark Wilson / Getty Images

Republican presidential nominee Donald Trump speaks during a campaign rally September 22, 2016 in Aston, Pennsylvania.

The Trump Hotel Collection has agreed to pay thousands of dollars in penalties for not properly disclosing a series of hacks on its computer network. The hacks, which have received only modest press coverage during Trump's heated campaign for the presidency, date back to 2014 and resulted in the theft of 70,000 customers’ credit card numbers and other personal data.

New York Attorney General Eric T. Schneiderman announced the settlement with the Trump Hotel Collection on Friday. The hotel chain, whose locations from Las Vegas to New York were affected by the data breach, will have to shell out $50,000. As part of the settlement, the chain also committed to improving its data security practices.

The hacks date back to at least May 19, 2014, according to the attorney general's press release. That's when a hacker accessed Trump International Hotels’ payment processing system through an administrative account using legitimate login credentials. The hacker then deployed malware into the system that stole the hotels’ customer credit card information and other data, according to the attorney general’s office.

Law enforcement didn't start investigating until a year later, when multiple banks found that thousands of fraudulent credit card transactions traced back to several hotels under the management of Trump International. Investigators alerted Trump International Hotels of the attack in June 2015, but the company did not notify its customers until September of that year, when it posted a notice of the breach on its website.

That delay was the basis of the Attorney General’s recent charges, which found that Trump International violated a New York business law that requires hacked companies to notify consumers “in the most expedient time possible and without unreasonable delay.”

Six Trump hotels in New York City, Miami, Chicago, Honolulu, Las Vegas, and Toronto were affected by the hack.

A spokesperson for Trump Hotels said in a prepared statement, “Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations, including almost every major hotel company. Safeguarding our customers’ data is a top priority for the company and we will continue taking actions to do so.”

The credit card theft was not Trump International Hotels’ only data breach in the past few years, the Attorney General’s office found. In November 2015 — five months after the hotel chain had learned of the first hack — a hacker installed credit card harvesting software in Trump International’s system that yielded information used in more credit card fraud. Fraud investigators found that the hacker later took more personal information, including the social security numbers of about 300 people, from a different company system in March 2016. Trump International received notice of these breaches in late March 2016, but the company waited three months, until June 2016, to tell its customers that their data had been stolen from its system.

Forensic investigators had recommended that Trump International implement two-factor authentication after the first breach, back in 2015. The company waited until April 2016 to do so, and the Attorney General said Trump International could have prevented the subsequent breaches if it had bolstered its security the first time it learned about its system’s security vulnerabilities.

Paul Martini, CEO of iboss Cybersecurity, said of the breach, "Understanding the severity of [a] breach can be complex ... but there's no excuse to withhold news of the breach. Some organizations say they're going to gather more info; some raise their hands and say, 'we don't have the expertise' — but any choice should include reporting the breach."

As for the forensic investigators' recommendations, Martini said even those steps might not have been enough to protect the hotel customers' data. "Multi-factor authentication would have helped preclude someone logging into the network administrator's account, but it wouldn't have prevented the hijacking after the malware was already in the payments processor," he told BuzzFeed News.

When BuzzFeed News asked what this data breach means for Trump's cybersecurity record as the Republican nominee, his campaign responded:

"Donald Trump is the only candidate who will ensure American interests are effectively protected, unlike Hillary Clinton who has proven herself to be utterly incompetent as evidenced by her illegal use of an unsecured email server that was completely vulnerable to hacking."

ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT