ZDNet is reporting today that the Radisson Hotel Group, based in Belgium, suffered a data breach of its loyalty member program. The chain accounts for over 1,400 hotels in over 70 countries and includes the Park Plaza brand, Country Inn & Suites, Park Inn, and Radisson Collection.
Management suggests that employee accounts, which had permission to access this data, were potentially at fault and fraudulently accessed by an attacker.
The hotel falls under the GDPR regulation and may be liable for fines. IT security experts commented below.
Colin Bastable, CEO of Lucy Security:
“Radisson rightly warns its customers that they may become targets of phishing attacks and asserts that “Radisson Rewards will not ask for your password or user information to be provided in an e-mail.” However, phishing attacks can be far more sophisticated than seeking passwords and user information: attacks can harvest consumer data and drop malware payloads in different ways. Phone numbers were hacked – Vishing attacks (phishing attacks by phone) are increasingly prevalent and profitable for hackers.
Furthermore, the attackers now have frequent flyer numbers, company email addresses and other PII (Personally Identifiable Information), so an attack may purport to come from an airline or a company colleague and not from Radisson. Convenience can be dangerous – allowing businesses to aggregate your online account information for the sake of a few points multiplies your personal risks, and can threaten the security of your employer. Attackers build long-term profiles of potential victims, which are for sale on the dark web. The repercussions of such an attack should not be underestimated.”
Pravin Kothari, CEO at CipherCloud:
“Earlier this week the airline industry was hit by another prominent cyberattack. Well, the same feeling of deja vu has rolled across the hotel industry with the data breach announcement by the Radisson Hotel Group this week. Radisson includes over 1,400 hotels across the world and includes many brands such as Country Inn & Suites, Park Inn, and, of course, the Radisson Collection. Radisson Rewards members were informed that a breach this month may have resulted in the potential disclosure of their personal information to include names, physical addresses, countries of residence, email addresses, some business names, telephone numbers, frequent flyer numbers, and Radisson Rewards member numbers. The European GDPR is now in effect, so the potential fines and other regulatory impacts of this data breach, if any, are still unknown.
Unfortunately, this is just the most recent cyberattack in the hotel industry. 2017 was a banner year for hotel cyberattacks with the InterContinental Hotels Group, Sabre Hospitality Solutions (including Hard Rock Hotels, Four Seasons Hotels, Trump Hotels, and Loews Hotels), Hyatt Hotels, Galt House Hotel, and Hilton also reporting potential data breaches and/or cyberattacks. In 2016 the Hard Rock Hotel and Casino in Las Vegas also suffered a data breach to the card payment system. Earlier that year the Trump Hotel Collection appeared to be breached by hackers that penetrated their credit card systems. Other well-known hotels breached in 2016 included the Rosen Hotels and Resorts, the Hotton Hotel, Nobel House Hotels and Resorts, Millenium Hotels and Resorts, Kimpton Hotels and restaurants, and the Dallas-based Omni Hotels and Resorts.”
Tony Richards, Group CISO and Head of Consulting at Falanx Group:
“With regard to GDPR they appear to have followed the notification rules.
As the breach appears to be due to an attacker having an authorised employee’s credentials, it will be interesting to see if these were stolen in a phishing attack or similar.
While security controls can be put in place to reduce the likelihood of a phishing attack being successful, they can not be stopped 100% of the time. This is why its important to use security controls like MFA (multi-factor authentication).”
Lisa Baergon, VP of Marketing at NuData:
“Hackers find reward and loyalty programs a treasure-trove as many companies don’t always monitor those programs as closely as they would a transaction. Additionally, card members don’t necessarily pay attention until they want to use them for a free room. So, the alarm bells don’t go off soon enough, if at all. Confirming that all points of risk, not just the purchase, are fully secured will ensure the company’s environment is not a target for bad actors. Multi-layered solutions that include passive biometrics and behavioral analytics can do this seamlessly and without relying on usernames and passwords; blocking fraudulent activity inside an account before any assets are stolen.”
Ross Rustici, Senior Director, Intelligence Services at Cybereason:
“This class of data breach is fairly common and most people affected probably have lost similar information multiple times through other data breaches in the past. The fact that passwords and financial information does not seem to be affected makes the likely impact of the breach much smaller. The two large implications of this particular incident revolve around how the EU decides to enforce GDPR. Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations. Secondly, the combination of address, frequent flyer numbers, and Radisson rewards numbers can be useful for specific , low incidence, criminal use cases. Unlike a large scale credit card breach, the most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high networth or people with specific access to something. This type of information is far more useful for an intelligence targeting package than for large-scale monetization.”
Rusty Carter, VP of Product Management at Arxan Technologies:
“As financial services and other highly regulated industries lock down their apps and websites, attackers are increasingly moving on to softer targets that are still “data rich” in terms of the kind of personal information that can be stolen and then monetised.
The Radisson breach further highlights the hospitality industry as a target and the weaknesses of companies to identify attacks underway.
Even with legislation like GDPR, companies are not securing or quickly disclosing the loss of customer information. Consumer trust is being stressed to the limit and we may be nearing an inflection point where a dramatic consumer plus government response will have acute and long-lasting impacts on business performance.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.