Trump Hotel Group Settles With NY Attorney General Over Credit Card Data Breaches

In the wake of two data breaches at hotels operating under the Trump Hotel Collection umbrella, the attorney general for the state of New York has reached a settlement with the company that involves a small financial penalty and promises of improved data security.

Last summer, the Trump hotel group confirmed a data breach affecting the payment card systems at multiple locations run by the company. Though the breach was discovered in June 2015, investigators later learned that the malware that had infected the system had been in place for about a year, collecting payment card information for some 70,000 accounts.

According to New York Attorney General Eric Schneiderman, the hotel group further erred by not providing notice to affected customers until Sept. 25, 2015, even though it knew that some stolen card information had already been used to try to make fraudulent purchases. The state alleged that this delay violated a New York law requiring businesses that have been hit with a data breach to alert affected customers “in the most expedient time possible and without unreasonable delay.”

The 2014 breach affected the following seven hotels:
• Trump SoHo New York
• Trump National Doral (Miami)
• Trump International New York
• Trump International Chicago
• Trump International Waikiki
• Trump International Hotel & Tower Las Vegas
• Trump International Toronto

Breach #2

Earlier this year, there were reports of a subsequent data breach affecting five Trump hotels.

Schneiderman’s office says an investigation found that this particular malware attack had begun on Nov. 10, 2015, months after the company learned of the earlier breach. Additionally, the attacker behind this second breach was able to obtain personal information — including names and Social Security numbers — for around 300 people from an older database of Trump Hotel Collection property owners.

Investigators into the first breach had recommended that the Trump group adopt a number of improved security precautions that the AG’s office believes could have prevented the second breach. However, Schneiderman says they were not deployed until April 2016, after the second attack had been discovered.

In addition to a $50,000 penalty, the hotel group has agreed to a number of changes to improve its data security, like instituting a program to identify data and privacy risks, implementing reasonable safeguards — like two-factor authentication for remote access to the networks — to control these risks; and regular testing of these safeguards.

“It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law,” said Schneiderman in a statement.