Euro Security Watch with Mathew J. Schwartz

Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Radisson Suffers Global Loyalty Program Data Breach

Hotel Giant Has Yet to Disclose Total Number of Breach Victims
Radisson Suffers Global Loyalty Program Data Breach
The exterior of the Radisson Blu Strand Hotel in Stockholm (Photo: Radisson Hotel Group)

Radisson Hotel Group has suffered a data breach that resulted in the theft of data for its Radisson Rewards global loyalty program.

See Also: Realities of Choosing a Response Provider

The hospitality giant, based in Minnetonka, Minnesota, says the breach occurred on Sept. 11 and was discovered on Oct. 1.

Radisson is one of the largest hotel chains in the world, operating 1,400 hotels in more than 70 countries. It says it emailed data breach notifications to all affected customers this week, starting Tuesday and wrapping up by Wednesday. Business Traveler on Wednesday reported that Radisson Rewards members had begun receiving the communications.

How bad was the breach? The company tells me in a statement: "The data security incident impacted less than 10 percent of Radisson Rewards member accounts and did not compromise any credit card or password information."

But Radisson declined to answer many questions I posed, including quantifying the number of breach victims, a breakdown of the geographic location of victims, and whether the hotel chain had notified the U.K. Information Commissioner's Office - or another EU data protection authority - about the breach, if it was required to do so under the EU's General Data Protection Regulation (see: Facebook Submits GDPR Breach Notification to Irish Watchdog).

Since May 25, under GDPR, all organizations that suffer a serious breach involving Europeans' personal data must report the breach to relevant authorities within 72 hours of becoming aware of it. Failure to do so, as well as more general information security shortcomings, can expose an organization to steep fines.

Authorities say GDPR applies to any breach that spans or has occurred from May 25 onward.

Exposed Data

Radisson says the following information was exposed in the breach:

  • Member name;
  • Address, including country of residence;
  • Email address;
  • Company name (in some cases);
  • Phone number (in some cases);
  • Radisson Rewards member number (in some cases);
  • Any frequent flyer numbers on file (in some cases).

The hotel chain also says it moved quickly, once it discovered the breach 20 days after it occurred - which, to be fair, was relatively fast detection work. Indeed, incident response firm Mandiant says that last year, on average, intrusions went unnoticed for 57.5 days before being spotted (see: Data Breach Trends: Attackers' Dwell Time Decreases, Mostly).

The hotel chain says it's been monitoring affected accounts for signs of unusual activity. "Upon identifying this issue, Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior," Radisson says.

As with nearly every entity that suffers a breach, Radisson includes in its notification to customers the usual bromides about taking information security seriously.

"We take the data privacy and security of our members very seriously and are conducting an extensive ongoing investigation into the incident to help prevent data privacy incidents from happening again in the future," it says.

Don't Click Those Links

Here's a copy of the email that Radisson has been sending to affected loyalty program members.

Data breach notification sent to Radisson Rewards data breach victims

One immediate takeaway: Never click on any links included in data breach notification emails, because such communications would be easy for an attacker to spoof. In fact, it's a sure bet that such phishing attacks have already begun, and they may direct recipients to look-alike Radisson Rewards sites designed to steal their credentials and other personal data.

Instead, store the legitimate email address for any password-gated site or service you want to access in a password manager, and then access sites through the manager. Alternatively, enter the name of the website or service into a trusted search engine.

Risk: Loyalty Program Fraud

It's not clear if the Radisson breach may have been a targeted or opportunistic attack. But the restaurant and hospitality sector continues to suffer a data breach epidemic.

It's also not clear how valuable this stolen loyalty program data might be on its own.

The Loyalty Fraud Association says law enforcement agencies are taking a closer look at loyalty fraud, whether it's committed by current or former employees, or increasingly, organized crime syndicates. Europol, the EU's law enforcement intelligence agency, has also been paying more attention to loyalty fraud, including as part of its "action days," which focus on fraud in specific industry sectors (see: Police in Europe Tie Card Fraud to People-Smuggling Gang).

Loyalty program members have long been targeted via phishing attacks, and some estimates put the value of funds stored in global loyalty programs at $200 billion.

But as anyone who's ever tried to book an airline flight using "reward miles" knows, good luck getting value out.

Identity theft experts, however, note that some criminal groups create dossiers on individuals that may include personal details gleaned across multiple breaches. Think of these as credit reports, but for the cybercrime set. Such dossiers can enable identity thieves to more easily impersonate victims, for example, when fraudulently opening a bank account, taking out a loan or ordering e-commerce goods.

Payment Card Data Trumps All

But payment card data appears to remain much more prized by attackers for the simple reason that it's easy to sell and use to commit fraud. And when it comes to payment card data theft, the accommodation and food services sectors remain the most breached, according to Verizon's 2018 Data Breach Investigations Report.

Attackers also continue to rely on well-known tricks. "The ever-present combination of hacking and malware continues to be the proverbial 'burger and fries' of the industry," Verizon says.

Actions seen in Accommodation breaches

Threat actions within accommodation and food services breaches over time (Source: Verizon's 2018 DBIR)

Verizon notes that of the breaches its incident responders investigated in 2017 in the accommodation and food services verticals, 93 percent of all data compromised involved payment card data, while only 5 percent involved personal data and 2 percent resulted in credential theft.

Most hacking attacks - 81 percent - that Verizon investigated last year in these sectors involved the use of stolen credentials, "which are often taken en masse from a POS service provider breach and then used to compromise the POS systems of the service provider's customers. The next most common type of attack - representing 18 percent of hack attacks Verizon found - involved brute-force entry. In both cases, attackers' overwhelming goal was to install malware designed to capture - or scrape - payment card data at the moment a card got swiped or dipped into a point-of-sale system.

Verizon says: "96 percent of malware-related breaches utilize RAM scrapers to capture volatile POS transactional data." In the vast majority of cases - 96 percent of the time - accommodation and food service sector breaches don't get discovered until months after they've occurred.

Hotel Breach Epidemic Continues

News of the Radisson data breach follows a seemingly nonstop series of alerts from other hotel chains in recent years, including Hilton, Hyatt, Trump Hotels, Intercontinental Hotels Group - including such brands as Crowne Plaza Intercontinental and Holiday Inn - as well as HEI Hotels & Resorts and Omni Hotels & Resorts, among many others.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.