The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and Republican presidential candidate Donald Trump, said last week that a year-long breach of its credit card system may have resulted in the theft of cards used at the hotels.
The acknowledgement comes roughly three months after this author first reported that multiple financial institutions suspected the hotels were compromised.
In a Web site created to share details about the hack, The Trump Hotel Collection said the breach affects customers who used their credit or debit cards at the hotels between May 19, 2014, and June 2, 2015.
“While the independent forensic investigator did not find evidence that information was taken from the Hotel’s systems, it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems. Payment card data (including payment card account number, card expiration date, and security code) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected.
The Trump compromise is just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments. In March, upscale hotel chain Mandarin Oriental disclosed a compromise. The following month, hotel franchising firm White Lodging acknowledged that, for the second time in 12 months, card processing systems at several of its locations were breached by hackers.
On Sept. 25, this author first reported that the Hilton Hotel chain is investigating reports of a pattern of card fraud traced back to some of its properties.
Right: Trump International Hotel and Tower in Chicago.
The Trump advisory named the individual properties that were hit with the card-stealing malware, including Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto.
The hotel collection said transactions on the point-of-sale terminals at the Las Vegas and Waikiki properties may also have been intercepted by card thieves.
This tracks almost exactly what I heard from banks in June of this year, who told me they had little doubt that Trump properties in several U.S. locations â€" including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York â€" were dealing with a card breach that appeared to extend back to at least February 2015. Turns out, it was quite a bit longer than that.
Many experts I’ve interviewed believe that the huge number of card breaches at U.S.-based organizations over the past year represents a response by fraudsters to changes in the United States designed to make credit and debit cards more difficult and expensive to counterfeit.
Non-chip cards store cardholder data on a magnetic stripe, which can be trivially stolen by malware designed to infect point-of-sale devices. The data is then sold to thieves who can copy and re-encode it onto virtually anything else with a magnetic stripe and use the counterfeit cards to buy stolen merchandise from big box stores.
Effective October 1, 2015, U.S.-based merchants that have not yet installed card readers which accept more secure chip-based cards assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers) cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.
For more on chip card technology and why most U.S. banks are moving to chip-and-signature over the more widely used chip-and-PIN approach, check out this story.
Also Read: (Click title)
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. He was recently profiled in Business Week and by Poynter.org.
www.krebsonsecurity.com
