Late yesterday (4th April), banking industry sources reported to KrebsOnSecurity that the Trump Hotel Collection appears to be dealing with another breach of its credit card systems. According to the sources, they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties. If confirmed, this would be the second such breach at the Trump properties in less than a year. Here to comment on this news is security experts from Rapid7 and Centrify.

 Tod Beardsley, Security Research Manager, Rapid7:

“Today’s news that the Trump Collection of properties has been breached is eerily familiar. While it’s possible that the real story behind the breach could be anything from a disgruntled insider, to a breach of the core IT systems used in Trump properties, or some unique method of obtaining credit card data from Trump customers, the Krebs story sounds like many of the point-of-sale (POS) compromises that have recently hit major hotel and hospitality companies over the last 18 months.

I would be surprised if the techniques used by the attackers in this case were substantively different from those used against Starwood, Hyatt, and Hilton. We’ve seen that in the hotel industry, the POS systems are generally the weakest link in the IT chain, and technically savvy criminal organisations have clearly figured this out.

Retail companies, hotel chains, and restaurants should examine their own POS installations for common misconfigurations and exposures, such as default and easily guessed passwords, outdated software, and poor network segmentation.”

Chris Webber, Security Strategist, Centrify:

“The report of the breach at the Trump Hotel Collection is not surprising given the amount of public attention on Donald Trump himself, as well as the general fact that hotels are a popular target for attackers.
It seems unlikely that this is a politically-based attack, but just another in a long string of credit card breaches resulting from stolen credentials. One thing we can be sure of is that Trump is a target for both Hacktivists and financially-motivated attackers.  Just last month Hacktivist group Anonymous posted a video declaring Trump an “enemy of the constitution,”  and included a “gift” of his social security number and other personal information.
Whilst Trump is a polarising figure,  we must recognise that we are all targets and we are only as strong as our weakest password. Perhaps Anonymous said it best in their video addressing Donald Trump “You should have expected us.”  If we continue to rely on passwords for protection, we should all expect to be breached as well.”

Experts Comments

Stay Tuned! Our Information Security Experts Community is responding .....

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.