Oh, dear. Maybe the Trump Hotel Collection should start building a wall around its computer system. The company has to pay $50,000 and to prove that it has set up increased controls on its data security after breaches exposed more than 70,000 customers’ credit card numbers and other personal data, the New York state's attorney general said in announcing a settlement.
According to an article in Meetings & Conventions, it was back in May 2015 that multiple banks analyzed hundreds of fraudulent credit card transactions and determined the hotel group, one of Republican presidential nominee Donald Trump's businesses, was the last merchant with legitimate transactions, according to the attorney general's office.
Problem is, it would be a while until customers were notified. Despite the fact that the company knew by June 2015 that hotels in New York City, Miami, Chicago, Honolulu, Las Vegas and Toronto had been compromised, it did not notify customers for an additional four months. This, M&C notes, was a direct violation of New York business law requiring prompt notification.
The hacker infiltrated the hotel group's payment processing system in May 2014.
"It is vital in this digital age that companies take all precautions to ensure that consumer information is protected and that, if a data breach occurs, it is reported promptly to our office, in accordance with state law," said Attorney General Eric Schneiderman, a Democrat.
The Trump Hotels Collection said that while safeguarding customer information is a priority, "Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations, including almost every major hotel company.”
It was not clear which other hotel companies they were referring to.
According to the attorney general's office, the company last March received additional reports of a second security breach, an investigation showing a hacker got unauthorized access last November and installed credit card harvesting malware on 39 systems affecting five hotels, including Trump SoHo New York.
In April, the company added recommended precautions including authentication for remote access that requires username, password and then another piece of information only the user should know, such as a random number from a token.