Settlement Reached with Trump Hotel Collection Over Data Breaches

A $50,000 settlement agreement has been reached between the Trump Hotel Collection and the New York Attorney General’s office in regard to two data breaches that resulted in more than 70,000 credit card numbers and other personal data being exposed.

The Trump hotel group has also agreed to take steps to improve its data security practices. According to New York’s Attorney General, the hotel chain did not adopt a recommended security precautions after the first breach. Implementing the measures could have prevented the second breach, the A.G.'s office said.

Trump hotels affected by the breach include:

1. Trump SoHo New York - 246 Spring Street, New York, NY 10013;

2. Trump National Doral - 4400 N.W. 87th Avenue, Miami, FL 33178;

3. Trump International New York - One Central Park West, New York, NY 10023;

4. Trump International Chicago - 401 N. Wabash Avenue, Chicago, IL 60611;

5. Trump International Waikiki - 223 Saratoga Road, Honolulu, HI 96815;

6. Trump International Hotel & Tower Las Vegas - 2000 Fashion Show Drive, Las Vegas, NV 89109; and

7. Trump International Toronto - 325 Bay Street, Toronto, Ontario, Canada M5H 4G3.

According to the A.G.'s office, the above mentioned properties were infected with malware designed to steal credit card numbers and related information.

The first breach was confirmed in June 2015, however as alleged by the attorney general's office, the chain did not provide notice to its customers until close to four months later, violating New York's general business law that requires customers be notified, “in the most expedient time possible and without unreasonable delay.” Fraudulent credit card purchases analyzed by multiple banks in May 2015 identified the chain as the last merchant where a legitimate transaction took place.

Further investigation revealed that the chain's payment processing system was infiltrated by an attacker through an administrative account. The attacker deployed malware designed to steal credit card information across the hotel chain's network, according to the A.G.

A second breach was confirmed in March 2016 where an attacker gained unauthorized access in Nov. 2015, installing credit card harvesting malware on 39 systems affecting five hotel properties, the A.G. said. The forensic investigation also found that on March 21 the attacker connected to a legacy payment system on the network of the Trump International Hotel & Tower New York, which included the personal information of THC property owners including the names and social security numbers of approximately 302 people, 44 of whom live in New York.

The affected individuals were notified on June 10, 2016, the A.G. said.

After the first breach, the investigation recommended that the hotel chain adopt additional security precautions including “two-factor authentication." However, the solution was not adopted until April 2016. The A.G.'s office said that if the chain had adopted the solution after the first breach it may have prevented the second breach.

By Feroze Dhanoa (Patch National Staff)

Image Credit: Eden, Janine and Jim via Flickr Creative Commons