On Sept. 29 Trump Hotel Collection posted an updated notice of “potential security incident” on its website. It admitted that a breach first reported in July by KrebsonSecurity had indeed affected the point-of-sale register systems at seven hotels in Chicago, Honolulu, Las Vegas, New York, Miami and Toronto. Compromised card data of as yet an undisclosed number of customers includes account numbers, expiration dates, CCV security codes and cardholder names.
The notice went on to say, “Upon becoming aware of the potential incident, we immediately hired an independent forensic investigator, notified the F.B.I. and financial institutions. In addition, we immediately removed the malware and are currently taking additional steps to further secure our systems.” They offered the customary and completely inadequate incident one year of complimentary identity protection services. Because credit and debit cards were hacked, identity theft is not an issue. All affected customers need to do is monitor card statements for any unauthorized purchases and report them to card issuers.
In early July Brian Krebs reported he had been contacted regarding reports from sources at several banks who traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels. At the time the company declined multiple requests for comment.
The company is now admitting that between May 19, 2014, and June 2, 2015 “unauthorized malware had access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels managed by the Trump Hotel Collection.” The attorney for the company has not verified when letters to affected customers may be mailed out.
The date of discovery closely matches a May 27 FBI alert which warned that the bureau had found a new type of POS malware dubbed “Punkey” was being used for in-the-wild attacks. The memory-scraping malware was reportedly tough to detect, not just because it obtained card data at the moment a card got swiped, but also because it encrypted card data before exfiltrating it to attackers.
The Trump Hotel breach is only one of a long string of credit card breaches involving hotel brands, restaurants and retail establishments including White Lodging and Hilton Hotels and franchises. This latest incident affected Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto.
Krebs commented that the “huge number of card breaches at U.S.-based organizations over the past year represents a response by fraudsters to upcoming changes in the United States designed to make credit and debit cards more difficult and expensive to counterfeit.” Unfortunately it appears that the Oct. 2015 deadline for distribution and use of chip-and-pin cards will not be met by card issuers and merchants giving crooks perhaps another year of grace to use the stolen data.