Breach Notification , Data Breach

Trump Hotels Confirms POS Malware Breach

Forensic Investigation Has Not 'Conclusively Determined' Card Data Exfiltrated, Misused
Trump Hotels Confirms POS Malware Breach

The hotel chain bearing 2016 U.S. presidential candidate Donald Trump's name has confirmed that its point-of-sale systems were infected by malware for more than a year. The confirmation comes about three months after the hotel chain said it was investigating reports that its POS systems had been breached (see Trump Hotels Investigates Hack Report).

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

The Trump Hotel Collection, in an undated "legal notice of potential security incident" posted on its website, now warns that POS systems at seven hotels that it manages - in Chicago, Honolulu, Las Vegas, New York, Miami and Toronto - were infected with malware, potentially affecting an unspecified number of customers.

"Payment card data - including payment card account number, card expiration date, security code, and cardholder name - of individuals who used a payment card at the hotel between May 19, 2014, and June 2, 2015, may have been affected," Trump Hotels says. It warns that attackers may have also obtained cardholders' names at the Las Vegas and Honolulu hotels.

"Like virtually every other company these days, we may have been the target of a cyber security incident," a Trump Hotel Collection spokeswoman tells Information Security Media Group. "Upon notification, we immediately engaged independent forensic experts. Although the forensic experts did not find that any customer information was removed from our systems, out of an abundance of caution we provided notice of the incident to our clients. We are also working with the U.S. Secret Service and the FBI to help catch these criminals and prosecute them to the full extent of the law. We are committed to safeguarding all guests' personal information and will continue to do so vigilantly."

Trump Hotels declined to comment about when the hotel chain posted the breach notification on its website, when the breach was discovered, how many customers were potentially impacted or how many U.S. and Canadian individuals will be receiving a breach notification.

The hotel chain has been downplaying the potential that card data was either exfiltrated or used to commit fraud. "Although an independent forensic investigation has not conclusively determined that any particular customer's payment card information was taken from the properties' payment card system or misused, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident and to call their attention to some steps they may choose to take to help protect themselves," its statement says.

Trump Hotel Properties has confirmed that POS systems at seven hotels - in six cities - were affected by the breach. Those include Trump International properties in Chicago, Honolulu, New York and Toronto; Trump International Hotel & Tower Las Vegas; Trump National Doral in Miami; and Trump SoHo New York.

All customers who used a payment card at those properties during the malware-infection period are being offered one year's worth of prepaid identity theft monitoring services via Experian, according to a sample breach-notification letter being sent to affected consumers by the law practice of Norton Rose Fulbright, which was posted by California's Office of the Attorney General, as Databreaches.net first reported.

Norton Rose Fulbright didn't immediately respond to a query about whether the letters have been sent to breach victims.

Hilton Investigates Potential Attack

The confirmation that Trump Hotels was compromised by POS malware comes just days after hotel chain Hilton said that it too is investigating whether it suffered a POS malware attack earlier this year. Security blogger Brian Krebs first reported that multiple banks reported seeing payment card fraud from at least April 21 to July 27 at restaurant and gift-shop POS systems in numerous Hilton locations, as well as at the company's Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.

Officials at Hilton have yet to confirm a breach. "Hilton Worldwide is strongly committed to protecting our customers' credit card information," it says in a statement. "We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today's marketplace. We take any potential issue very seriously, and we are looking into this matter."

POS Malware

Meanwhile, Trump Hotel Properties has yet to reveal what type of malware infected its POS systems, although says the malware appeared to gain "unauthorized ... access to payment card information as it was inputted into the payment card systems," which suggests that attackers used memory-scraping malware.

Trump Hotel Properties also has yet to specify when or how it first discovered its breach. But the company says that its POS systems were malware-infected until June 2, when it eradicated the malware infection across all affected properties. While it may be a coincidence, that date closely follows a May 27 FBI alert, which warned that the bureau had found a new type of POS malware dubbed "Punkey" being used for in-the-wild attacks (see New Alerts About POS Malware Risks).

The memory-scraping Punkey malware was reportedly tough to detect, not just because it obtained card data at the moment a card got swiped, but also because it encrypted card data before exfiltrating it to attackers. Punkey, however, is just one of a number of different types of memory-scraping malware, which security experts say all function in a largely similar manner, and which too many organizations continue to fail to spot in a timely manner (see Why POS Malware Still Works).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network