Donald Trump Jr. isn’t the only one stressed out about sensitive data leaking on the Internet.
Customers of Trump Hotels that booked one of several locations on certain dates in November 2016 may see their data tied up in a data breach that occurred on the systems of a vendor of the hotel chain, Sabre Hospitality Solutions. Trump Hotels says it was notified of the breach by Sabre on June 5 and it posted a notice to its website warning guests on Tuesday.
The Trump Toronto location is listed as one of the affected locations.
While the hotel chain is the namesake of U.S. President Donald Trump, it is owned by InnVest Real Estate Investment Trump and was built by Talon International Development Inc. Officially, the hotel is currently operating under the name of Adelaide Hotel Toronto. Following ongoing renovations, it will be renamed to St. Regis Toronto, as reported by The Toronto Star.
The Trump chain was caught up in a wider data breach that affected other customers of Sabre. As explained in the Trump Hotels notice, Sabre’s SynXis Central Reservations system (CRS) was the target of the attack.
“An unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations,” it states. Customer data that may have been accessed includes name, email, phone number, address, payment card number, card expiration date, and potentially security code.
An investigation by Sabre shows the attacker first obtained access to Trump Hotels data on Aug. 10, 2016 and most recently accessed the information on March 9, 2017.
“We are working with Sabre to address this issue. We understand that Sabre engaged a leading cybersecurity frim to support its investigation,” the notice states. “Sabre indicated that they also notified law enforcement and payment card brands about this incident.”
The Trump Hotel chain has been the subject of past data breaches. In October 2015 it confirmed that it suffered a breach between May 2014 and June 2015. The Trump Toronto hotel was also impacted by that breach, which also included payment card information.
Breaches affecting the hospitality and tourism industry are rampant, turning their reservation and POS systems into a cybersecurity “red-light” district, says Corey Williams, senior director of products and marketing at Centrify, a security vendor.
“Point of Sale breaches are still fairly common, but generally they involve malware installed into networks of POS systems. This malware acts as a virtual skimmer, stealing card data as it is temporarily stored in memory and sending it to the criminal’s servers. How that malware gets there is often through compromised accounts that are supposed to be used for administering said POS systems. Techniques such as requiring multifactor authentication for any access to POS systems helps to reduce the attack surface of POS networks.