Radisson Hotels Suffer Data Breach

Unknown Number of Records Exposed During 6-Month Period An unknown number of Radisson Hotel guests in the U.S. and Canada may face credit card fraud in the wake of a data breach announced by the hotel chain this week.

In an open letter to customers, Fredrik Korallus, CEO of the hotel chain detailed the breach, which involved computer systems invaded by hackers for a six-month period, from Nov. 2008 to May 2009.

According to the hotel chain's spokesperson, David Chamberlin, the forensic investigation of the breach is still underway, with federal law enforcement involved, and the company isn't unable to provide accurate estimates of the number of potentially exposed records.

"We are not aware of a connection to the recent reports of 130 million records being taken," Chamberlain says, referencing this week's news about arrests in the Heartland Payment Systems data breach. "The number of files at issue here is nothing close - a tiny fraction," he says. "This incident is limited to guests for certain times at some hotels."

The facts of the breach released by Radisson:

Between November 2008 and May 2009, the computer systems of some Radisson Hotels & Resorts in the U.S. and Canada were accessed without authorization. This past spring, the company was able to confirm an intrusion. The investigation is ongoing.
The accessed computer systems contained guest information such as the name printed on a credit or debit card, the account number and the expiration date on the card. "We do not know, however, whether a particular name, credit or debit card number or card expiration date were in fact accessed or taken," he says.
The accessed computer systems did not include Social Security numbers.
The hotel says at this time, "it appears to be an unauthorized attack from an outside source, and have no reason to believe it was an insider."
The hotel says it has worked closely with the major credit card brands, issuers, the credit reporting agencies, and its payment processor, Elavon, to address the incident.
It also placed ads announcing the breach in the Wall Street Journal and USA Today on Wednesday and has set up a dedicated web site to address customer questions.
Notification letters were sent to affected consumers, where they were able to be identified, Chamberlain says.

Industry Privacy Expert Responds
The Radisson Hotel company appears to be doing a reasonable job in communicating what it knows to concerned parties, says Dr. Larry Ponemon, founder of the Ponemon Institute, a privacy and information security research firm. He asserts this breach event involved a third-party payment processing company, and adds, "This appears to be a typical pattern, where insecure third parties provide the venue for criminal conspiracy."

He isn't surprised that the breach event ended in May and is just being reported now. In his experience, "Some breach events take weeks or even months to investigate. Early communication to breach victims before getting all the necessary facts can diminish the integrity of a criminal investigation. What is surprising is the fact that Radisson still does not know a precise number of compromised records."

Ponemon sees that companies in the hotel and leisure industry have challenges securing sensitive or confidential customer information for two main reasons. "First, these organizations thrive on the collection of consumer information in order to personalize the guest's positive experience," he says. "Beyond payment information, sensitive data may include room service orders, movie rentals, room entry/exit and much more."

Secondly,the IT infrastructures for some large hotel chains are decentralized or sometimes fragmented - "thus making it difficult to devise an enterprise security strategy," Ponemon says.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network