Trump Hotels Breached Again?Some Issuers, Security Experts Suspect Second Breach
Trump Hotel Collection, a luxury hotel chain owned by Republican presidential candidate Donald Trump, confirms it's investigating a possible data breach that some security sources say may have targeted the chain's point-of-service system for card data.
Suspicious card payment activity tied to Trump hotels was reportedly first identified by issuers in Canada, Illinois and Hawaii, sources told Information Security Media Group last week.
What's not clear, however, is whether some of this most recent suspected fraudulent card activity is indicative of a new breach or just residual activity connected to an earlier breach that Trump Hotels disclosed in late September, some three months after it initiated its investigation into a possible POS system attack (see Trump Hotels Confirms POS Malware Breach).
"Like virtually every other company these days, we are routinely targeted by cyber-terrorists whose only focus is to inflict harm on great American businesses," Trump Hotels spokesman Eric Trump, one of Donald Trump's sons, noted in a statement provided to Information Security Media Group on April 5. "We are in the midst of a thorough investigation on this matter and are working with the U.S. Secret Service and the FBI to help catch these criminals and prosecute to the full extent of the law. We are committed to safeguarding all guests' personal information and will continue to do so vigilantly."
On April 4, security blogger Brian Krebs reported that that three "financial sector" sources had identified fraud patterns that suggested a breach at some, if not all of Trump Hotel Collection's more than a dozen hotels around the world.
None of the card issuers and other sources contacted by ISMG could say how many cards may have been impacted, but they said that it appears that this newest wave of fraudulent activity is linked to a compromise that lasted from November 2015 until March 2016.
One executive with an issuer on the West Coast who asked not to be named says the latest incident seems to be smaller and shorter-lived than the malware infection that was confirmed last year. That infection impacted POS systems at seven of Trump Hotels in Chicago, Honolulu, Las Vegas, New York, Miami and Toronto for more than a year.
The executive with the institution on the West Coast estimates that about 1 million credit and debit accounts have likely have been exposed in this most recent incident.
Trump Hotels never revealed how many cards may have been exposed last year, but the company said in a statement that cards used at those properties between May 19, 2014 and June 2, 2015 may have been affected.
A New Breach?
John Buzzard, formerly the head of FICO's Card Alert Service who now works as director of product management for security firm Rippleshot Fraud Analytics, says he does not believe Trump Hotels has been breached a second time.
"Before anyone gets excited over the suggestion that the Trump brand has been singled out with a new targeted attack, there should be some consideration given to the fact that the last breach was less than a year ago," he says. "This seems more like a double-dip replay on the cards already breached in July, classic fraudster bad behavior. Ask anyone. If there is a card that has been breached and remains open, as most do today, the criminals just wait and strike again when the memory of that breach fades."
But Seth Ruden, senior fraud consultant of payment risk solutions for payments platform provider ACI Worldwide, contends that it's likely that attackers waged a second attack using a backdoor or network-entry point used to access the POS system during the first attack that was not secured after the last breach was discovered. If that's the case, then it's probable that a sophisticated criminal group, not a group motivated to attack Trump Hotels for political reasons, is behind it, Ruden adds.
"This is unlikely the typical hacktivists that I've encountered that have made charitable donations with their gains to make the point out of protest," he says. "This has the fingerprints of typical fraud. ... The hospitality industry has been heavily targeted in the last couple of years; as a result, many hoteliers have moved to new technologies, such as tokenization, to mitigate the risk and protect their customers and their brand."
Al Pascual, head of fraud and security at Javelin Strategy & Research, also says this most recent apparent breach is not likely politically motivated.
"Donald Trump has made quick enemies of cyberterrorists, including Anonymous, which started their attacks back in December," he says.
As recently as last week, the hacktivist group known as Anonymous took several of Donald Trump's campaign sites offline, according to political news site The Hill. Attacks against Trump's websites have reportedly been waged for political reasons, part of a digital war against Trump's campaign.
"But if there's a pattern of fraud associated with the compromised data, then I'd be hard pressed to believe it was motivated by anything more than financial gain, especially if no one claims responsibility. Until then, a cyber-terror attack is convenient cover for fraudsters, and useful to Donald Trump for political points."
In November, hotel chain Hilton Worldwide acknowledged that a breach affecting an unspecified number of hotels, exposed customer and payment card data between November 2014 and April 2015.
Hilton's breach notification came on the heels of a breach notice from Starwood Hotels and Resorts, which also in November confirmed that POS systems used in its restaurants, gift shops and other locations had been breached at multiple properties across North America.
Hotels a Prime Target
Zach Forsyth, director of technology innovation at security firm Comodo, says the hospitality industry is increasingly being targeted by cybercriminals because they hold valuable personal information about cardholders.
"Large, well-known chains are even more susceptible targets, due to the sheer volume of data that they store and share," he says. "Unfortunately, many of these companies have antiquated IT security technology in place, which is an easy workaround for the hackers. It's a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left. By then, it's too late."
Kevin Watson, CEO at Netsurion, which provides remote security services, says malware, once on a network, often enables hackers to tunnel their way to connected POS systems with ease.
"Many recent breaches have involved malware that, once installed, exfiltrates sensitive data," Watson says. "There's no silver-bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn't leave the network without the admin's knowledge - and if data is sent out, it only goes to verified internet addresses. Security must be layered with a properly managed firewall, data encryption, network segmentation, passwords and access controls, software updates and antivirus/anti-malware software. Along with protecting incoming traffic and preventing access by malicious actors, it's critical to limit outbound internet traffic as well."