Trump Hotel chain investigates potential payment card breach

library
crime | hacking | security

Republican presidential candidate and business magnate Donald Trump isn’t having the best of times right now.

Having recently seen his branded merchandise removed from stores after referring to immigrants from Mexico and other countries as “killers and rapists”, his hotel chain is now having to investigate a potential data breach.

According to security journalist Brian Krebs, several US banks spotted a pattern among fraudulent charges appearing on people’s credit and debit cards – each victim had stayed at a Trump hotel recently.

Krebs said his sources within the financial industry were fairly certain that Trump hotels, including those in Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York, were affected. The breach appears to date back at least as far as February 2015, he said.

The company is yet to confirm or deny whether a breach did actually take place, though Trump’s son Eric, executive vice president of development and acquisitions, did tell CNBC that:

Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties.

We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.

If a breach is confirmed, the Trump organisation would join a growing list of hotels to be targeted by credit and debit card thieves.

US history of point of sale (POS) breaches

In March the Mandarin Oriental hotel chain confirmed it was probing a potential breach that saw unauthorised access of credit card systems in a small number of its properties.

And the previous year White Lodging, the company behind well-known US hotel chains Hilton, Marriott, Sheraton and Westin, said properties in six US cities had been breached by hackers via its card processing systems.

Naturally, it’s not just hotel chains that attract attention from credit card criminals.

In December 2013 Target took temporary ownership of the largest ever retail breach crown after point-of-sale malware was used to exfiltrate some 40 million payment card details. Additionally, 70 million ‘guest’ records packed full of customers’ personal information were also swiped.

At the beginning of 2014, Neiman Marcus waved goodbye to an undisclosed number of payment cards.

In June 2014 P.F. Chang’s China Bistro restaurant chain began investigating a potential breach, later confirming that payment cards used in a number of its restaurants may have been compromised.

August 2014 revealed how point-of-sale malware was once again the culprit as Supervalu disclosed a breach. The retailer said it was investigating the potential theft of payment card data from as many as 200 of its stores.

In September 2014 we saw another huge breach as 56 million payment cards were compromised after custom malware was used to target Home Depot‘s point-of-sale systems.

Hastening in Chip and Pin

As John Zorabedian noted at the time, the only possible good to come from so many data breaches was the potential hastening of the death knell for the magnetic stripe credit cards so beloved in the US.

Unlike the EMV Chip and PIN cards used by much of the rest of the world, the so-called magstripe cards are especially prone to cloning and are far easier for criminals to subsequently use.

The end may finally be nigh for magstripe cards in the US, Krebs writes, as merchants are set to bear the cost of fraud undertaken with counterfeit cards unless they have installed Chip and PIN card readers:

In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.

The cost of installing card readers and updating POS software is likely to be a huge burden for merchants but one that may well to pale into insignificance when compared with the financial implications of a shift in liability and the potential reputational and monetary damage caused by a breach.

In addition to installing card readers, concerned businesses may also wish to read our 6 tips for keeping your data safe and revisit their incident response plans.