New York A.G. Reaches Settlement with Trump Hotel Collection Over Data Breaches

The New York Attorney General's office announced Friday that it has reached a $50,000 settlement with the Trump Hotel Collection over two data breaches that resulted in the exposure of more than 70,000 credit card numbers and other personal data.

The hotel collection has also agreed to improve its data security practices. According to the A.G., the hotel chain did not adopt a recommended security precaution after the first breach, the implementation of which that could have prevented the second breach.

Trump hotels affected by the breach include:

1. Trump SoHo New York - 246 Spring Street, New York, NY 10013;
2. Trump National Doral - 4400 N.W. 87th Avenue, Miami, FL 33178;
3. Trump International New York - One Central Park West, New York, NY 10023;
4. Trump International Chicago - 401 N. Wabash Avenue, Chicago, IL 60611;
5. Trump International Waikiki - 223 Saratoga Road, Honolulu, HI 96815;
6. Trump International Hotel & Tower Las Vegas - 2000 Fashion Show Drive, Las Vegas, NV 89109; and
7. Trump International Toronto - 325 Bay Street, Toronto, Ontario, Canada M5H 4G3.

According to the A.G.'s office, the above mentioned properties were infected with malware designed to steal credit card numbers and related information.

The first breach was confirmed in June 2015, however as alleged by the attorney general's office, the chain did not provide notice to its customers until close to four months later, violating New York's general business law that requires customers be notified, “in the most expedient time possible and without unreasonable delay.” Fraudulent credit card purchases analyzed by multiple banks in May 2015 identified the chain as the last merchant where a legitimate transaction took place.

Further investigation revealed that the chain's payment processing system was infiltrated by an attacker through an administrative account. The attacker deployed malware designed to steal credit card information across the hotel chain's network, according to the A.G.

A second breach was confirmed in March 2016 where an attacker gained unauthorized access in Nov. 2015, installing credit card harvesting malware on 39 systems affecting five hotel properties, the A.G. said. The forensic investigation also found that on March 21 the attacker connected to a legacy payment system on the network of the Trump International Hotel & Tower New York, which included the personal information of THC property owners including the names and social security numbers of approximately 302 people, 44 of whom live in New York.

The affected individuals were notified on June 10, 2016, the A.G. said.

After the first breach, the investigation recommended that the hotel chain adopt additional security precautions including “two-factor authentication." However, the solution was not adopted until April 2016. The A.G.'s office said that if the chain had adopted the solution after the first breach it may have prevented the second breach.

“It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," Attorney General Schneiderman said in the press release. “Consumers personal information are all too often exposed to wrong-doers with ill-intent. We will continue working to help protect hardworking New Yorkers from all forms of identity theft.”

Patch will update this breaking news story.

Image Credit: Eden, Janine and Jim via Flickr Creative Commons