Radisson Hotels Suffer Data Breach
Unknown Number of Records Exposed During 6-Month Period An unknown number of Radisson Hotel guests in the U.S. and Canada may face credit card fraud in the wake of a data breach announced by the hotel chain this week.In an open letter to customers, Fredrik Korallus, CEO of the hotel chain detailed the breach, which involved computer systems invaded by hackers for a six-month period, from Nov. 2008 to May 2009.
According to the hotel chain's spokesperson, David Chamberlin, the forensic investigation of the breach is still underway, with federal law enforcement involved, and the company isn't unable to provide accurate estimates of the number of potentially exposed records.
"We are not aware of a connection to the recent reports of 130 million records being taken," Chamberlain says, referencing this week's news about arrests in the Heartland Payment Systems data breach. "The number of files at issue here is nothing close - a tiny fraction," he says. "This incident is limited to guests for certain times at some hotels."
The facts of the breach released by Radisson:
Industry Privacy Expert Responds
The Radisson Hotel company appears to be doing a reasonable job in communicating what it knows to concerned parties, says Dr. Larry Ponemon, founder of the Ponemon Institute, a privacy and information security research firm. He asserts this breach event involved a third-party payment processing company, and adds, "This appears to be a typical pattern, where insecure third parties provide the venue for criminal conspiracy."
He isn't surprised that the breach event ended in May and is just being reported now. In his experience, "Some breach events take weeks or even months to investigate. Early communication to breach victims before getting all the necessary facts can diminish the integrity of a criminal investigation. What is surprising is the fact that Radisson still does not know a precise number of compromised records."
Ponemon sees that companies in the hotel and leisure industry have challenges securing sensitive or confidential customer information for two main reasons. "First, these organizations thrive on the collection of consumer information in order to personalize the guest's positive experience," he says. "Beyond payment information, sensitive data may include room service orders, movie rentals, room entry/exit and much more."
Secondly,the IT infrastructures for some large hotel chains are decentralized or sometimes fragmented - "thus making it difficult to devise an enterprise security strategy," Ponemon says.