Trump Hotels customers hit by credit-card stealing hackers. Again.


Donald Trump may know more about hacking than he’s letting on.

That’s because it has been revealed that the US president’s family-run hotel business has once again been hit by hackers, who have stolen the payment card information from guests at 14 different Trump properties.

A letter posted on the Trump Hotels corporate website explained that the hackers broke into Sabre Hospitality Solutions, a reservation service used by Trump Hotels, to steal data:

The Sabre SynXis Central Reservations system (CRS) facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies, and similar booking services. Following an investigation, Sabre notified us on June 5, 2017 that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations processed through Sabre’s CRS.

The investigation found that the unauthorized party first obtained access to Trump Hotels-related payment card and other reservation information on August 10, 2016. The last access to this information was on March 9, 2017.

Trump Hotels has provided a list of affected properties for concerned guests, as well as booking dates when reservations at each hotel are thought to have been at risk during the seven month window.

As well as payment card information, in some cases it was possible for the hacker to also access hotel guests’ names, email addresses, phone numbers, postal addresses, and other information potentially opening up further opportunities for fraud.

Reading the notification it appears that hackers were able to access the Sabre system containing the reservation information because login credentials were stolen. Which begs the obvious question – why weren’t there sufficient authentication checks in place to ensure that only authorised users were able to access the sensitive data?

Merely relying upon a username or password clearly isn’t a sufficient method for guarding critical information. You would hope that there would – at the very least – be some form of two factor authentication in place and method of verifying that the user was accessing the data from an approved, whitelisted IP address. If such a security system had been in place it would have been much more difficult for an attacker to break into the system, even if they had managed to steal login credentials.

Sabre has indicated that to Trump Hotels that it has informed law enforcement agencies and credit card companies about the security incident. Which is good – after all, it’s always important to take any potential hacking incident seriously and bring in the feds to properly investigate.

This isn’t, of course, the first time that Trump Hotels has been targeted by hackers. In fact, as recently as last September Trump International Hotels Management found itself having to pay US $50,000 to New York State following data breaches that exposed the personal details and payment card information of some 70,000 customers.

The Washington Post reports that Trump Hotels isn’t the only hospitality chain to have been hit as a result of the seven month breach at Sabre. Other victims have included customers of 11 Hard Rock hotel properties and 21 Loews Hotels.


Source: Graham Cluley