In May a year ago, multiple banks discovered hundreds of fraudulent credit card transactions with one common element.
Trump hotels was the last merchant where a legitimate transaction took place. Known as the “common point of purchase (CPP),” it typically points to the target of a cyber-attack.
Trump Hotels Hit by Cyber Attack
- Trump SoHo New York – 246 Spring Street, New York, NY 10013;
- Trump National Doral – 4400 N.W. 87th Avenue, Miami, FL 33178;
- Trump International New York – One Central Park West, New York, NY 10023;
- Trump International Chicago – 401 N. Wabash Avenue, Chicago, IL 60611;
- Trump International Waikiki – 223 Saratoga Road, Honolulu, HI 96815;
- Trump International Hotel & Tower Las Vegas – 2000 Fashion Show Drive, Las Vegas, NV 89109;
- Trump International Toronto – 325 Bay Street, Toronto, Ontario, Canada M5H 4G3.
Source: NYAG’s Office
“It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law,” said NY Attorney General Eric Schneiderman in a statement.
A forensic investigation confirmed the existence of credit card targeting malware at multiple Trump hotels in New York, Las Vegas and Chicago.
The probe determined that a cyber attack took place in May, 2014, and successfully breached an administrative account using legitimate domain administrator credentials.
The attacker planted malware in the system designed to steal credit card information across Trump hotel’s computer network.
Trump hotels knew as early as June 2015 that malware had been uploaded into its system to steal credit card data, but failed to notify customers for four months, the AG’s office said. It finally placed a notice on its Web site last September.
The delay violated New York’s General Business Law, said Schneiderman. The statute requires notice to consumers “in the most expedient time possible and without unreasonable delay.”
A second breach was discovered this past March. It revealed a cyber attack had successfully breached the hotel’s credit card system on five hotel properties in Nov. 2015, including Trump SoHo New York and Trump International Hotel & Tower.
Consumers hit by that breach were finally notified in June.
The second breach was only made possible because Trump hotels failed to install safety measures recommended after the first breach, Schneiderman said.
The settlement was reached with Trump International Hotels Management LLC, also known as the Trump Hotel Collection (THC).
In addition to the fine, it requires THC to maintain reasonable security policies and procedures designed to protect consumer personal information.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Resident Technologist Marc Kowtko, under the supervision of Bureau Chief Kathleen McGee and Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.