BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Radisson Hotels Suffer Data Breach

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Unknown Number of Records Exposed During 6-Month Period

August 21, 2009 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Please login or register to save this article.

An unknown number of Radisson Hotel guests in the U.S. and Canada may face credit card fraud in the wake of a data breach announced by the hotel chain this week.

In an open letter to customers, Fredrik Korallus, CEO of the hotel chain detailed the breach, which involved computer systems invaded by hackers for a six-month period, from Nov. 2008 to May 2009.

According to the hotel chain's spokesperson, David Chamberlin, the forensic investigation of the breach is still underway, with federal law enforcement involved, and the company isn't unable to provide accurate estimates of the number of potentially exposed records.

"We are not aware of a connection to the recent reports of 130 million records being taken," Chamberlain says, referencing this week's news about arrests in the Heartland Payment Systems data breach. "The number of files at issue here is nothing close - a tiny fraction," he says. "This incident is limited to guests for certain times at some hotels."

The facts of the breach released by Radisson:

Between November 2008 and May 2009, the computer systems of some Radisson Hotels & Resorts in the U.S. and Canada were accessed without authorization. This past spring, the company was able to confirm an intrusion. The investigation is ongoing.

The accessed computer systems contained guest information such as the name printed on a credit or debit card, the account number and the expiration date on the card. "We do not know, however, whether a particular name, credit or debit card number or card expiration date were in fact accessed or taken," he says.

The accessed computer systems did not include Social Security numbers.

The hotel says at this time, "it appears to be an unauthorized attack from an outside source, and have no reason to believe it was an insider."

The hotel says it has worked closely with the major credit card brands, issuers, the credit reporting agencies, and its payment processor, Elavon, to address the incident.

It also placed ads announcing the breach in the Wall Street Journal and USA Today on Wednesday and has set up a dedicated web site to address customer questions.

Notification letters were sent to affected consumers, where they were able to be identified, Chamberlain says.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

Industry Privacy Expert Responds
The Radisson Hotel company appears to be doing a reasonable job in communicating what it knows to concerned parties, says Dr. Larry Ponemon, founder of the Ponemon Institute, a privacy and information security research firm. He asserts this breach event involved a third-party payment processing company, and adds, "This appears to be a typical pattern, where insecure third parties provide the venue for criminal conspiracy."

He isn't surprised that the breach event ended in May and is just being reported now. In his experience, "Some breach events take weeks or even months to investigate. Early communication to breach victims before getting all the necessary facts can diminish the integrity of a criminal investigation. What is surprising is the fact that Radisson still does not know a precise number of compromised records."

Ponemon sees that companies in the hotel and leisure industry have challenges securing sensitive or confidential customer information for two main reasons. "First, these organizations thrive on the collection of consumer information in order to personalize the guest's positive experience," he says. "Beyond payment information, sensitive data may include room service orders, movie rentals, room entry/exit and much more."

Secondly,the IT infrastructures for some large hotel chains are decentralized or sometimes fragmented - "thus making it difficult to devise an enterprise security strategy," Ponemon says.

Next Related Article:

2010 Data Breach Timeline

Topics of Interest

ID Access & Management

Is The Door To Your Company's Private Data Wide Open?
25 Best Practices for Managing User Access to Desktops, Networks, and Applications to Ensure Regulatory Compliance

NCUA Part 748

5 Top Security Threats to Credit Unions
NCUA - Filing Requirements for Suspicious Activity Reports

FACTA

Identity Theft Red Flags Rule Compliance Survival Guide
ID Theft Red Flags Examinations: What to Expect?

Identity Theft Red Flags Rule

Identity Theft Red Flags Rule Survey: Executive Summary
Identity Theft Red Flags Rule Compliance Survival Guide

Payments

Heartland's Bob Carr on Leadership in a Crisis
FDIC on Top Fraud Threats to Banks

Phishing

Online Transaction Origination: Ensuring Customer Confidence & Trust
Man-in-the-Middle Attacks: Helping to Eliminate the Threat Without Impacting the Business

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Testing Security Controls: Learn from the Experts
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Tripwire

Solutions For:

Database Security, Patch / Configuration Management, Security Configuration Management
Intrusion Inc.

Solutions For:

Content Management/ Filtering, Email Security, Identity Theft Prevention

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management

Training & Education

FHFA: Issues Subpoenas for PLS Documents..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
FFIEC Issues 2009 Mortgage Fraud White Paper:The Detection and Deterrence of Mortgage..Next Topic
DoJ: Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act..Next Topic
FDIC: Fraudulent Work-at-Home Funds Transfer Agent Schemes..Next Topic
Joint Statement by Education Secretary Duncan, Homeland Security Secretary Napolitano and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
NIST: PIV Card Application and Middleware Interface Test Guidelines, SP800-85A-1..Next Topic

A-
A
A+