April 4, 2016

Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.

Trump International Hotel in New York.

Trump International Hotel in New York.

A representative from Trump Hotels said the organization was investigating the claims.

“We are in the midst of a thorough investigation on this matter,” the company said in a written statement. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties.

On July 1, 2015, this publication was the first to report that banks suspected a breach at Trump properties. After that story ran, Trump Hotel Collection acknowledged being alerted about suspicious activity tied to accounts that were recently used at its hotels. But it didn’t officially confirm that its payment systems had been infected with card-stealing malware until October 2015.

The Trump Hotel Collection includes more than a dozen properties globally. Sources said they noticed a pattern of fraud on cards that were all used at multiple Trump hotel locations in the past two to three months, including at Trump International Hotel New York, Trump Hotel Waikiki in Honolulu, and the Trump International Hotel & Tower in Toronto.

The hospitality industry has been hit hard by card breaches over the past two years. In April 2014, hotel franchising firm White Lodging confirmed its second card breach in a year. Card thieves also have hit Hilton, Hyatt, and Starwood properties. In many of those breaches, the hacked systems were located inside of hotel restaurants and gift shops.

Like most other current presidential candidates, Mr. Trump has offered little in the way of a policy playbook on cybersecurity. But in statements last month, Trump bashed the United States as “obsolete” on cybersecurity, and suggested the country is being “toyed with” by adversaries from China, Russia and elsewhere.

“We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.” Trump was critical of the US military’s cyber prowess, charging the Defense Department and the military are “going backwards” in cyber while “other countries are moving forward at a much more rapid pace.”

“We are frankly not being led very well in terms of the protection of this country,” Trump said.

77 thoughts on “Sources: Trump Hotels Breached Again

  1. Likes2LOL

    This is HUGE news — Thanks, Brian! 😉

      1. Brian Krebs

        i see what you guys did there. haha.

        my fav, from @ftpalum, Let me tell you about encryption. I can say I don’t know a whole lot about encryption, but we’re gonna have the best encryption…

  2. Robert.Walter

    How could this happen, twice?? I thought Trump only hired the best of the best to work for him!

    Maybe The Donald should just negotiate with the hackers!

    1. Jonathan Jaffe

      Robert Walter: you beat me to the keyboard!

      Best laugh I’ve had all week.

      Jonathan @NC3mobi

    2. Joebob2000

      Obviously Obama’s fault, he’s a nobody from Kenya!

      1. Ben Dover

        Prove it, or stop your racist remarks !

        1. JCitizen

          I took it as sarcasm – so touchy we are!

        2. Fin-Man

          OMG Ben Dover! I see sarcasm all over that comment. Can’t you?

          1. kopecky

            Mike Hunt says Ben Dover cause it’s Deja Vu all over again.

            1. Moe Lester

              We’re so obsolete in cyber … You can make countries nonfunctioning with a strong use of cyber

              Stealing credit cards is absolutely the least form of cyber waterboarding. We are so weak. Believe me, I will unleash the cyber pathogen.

      2. Hillary Clinton IT Services

        The NSA, FBI, DOD… our most sensitive and secretive organizations have been repeatedly hacked, even the employee dbase for the NSA. It’s amazing how much liberals will mock Trump for this when the democrats guarding our nation’s secrets have done nothing to secure out state secrets (Hillary). How about Snowden, all done on the Democrats watch. These things really matter, Trump hotel breaches don’t expose govt employees and programs and put lives at risk. Democrats lack of infotech security leadership hurts our nation and puts lives at risk, big difference.

        1. CooloutAC

          They closest they ever got to Hillary’s email was by hacking a Bill Clinton aide using aol, and that didn’t help their enemies much. I applaud Hillary for having her own email server. Especially in this day and age. Yes its true congress has been hacked by the chinese, the russians, and even their very own CIA hacked their computers and stole data over torture memos LMAO. The Presidents ipad was hacked, the first ladies email…etc… And we know that since Nixon the political parties spy on each other. They can’t get anything on HIllary though and that pisses them off. She is a magician. Even in the 50,000 emails she released they can’t get nothing on her except smoke. And people can make fun of her for saying the way to beat ISIL is with the internet, but she’s right.

          Regarding the FBI, they are always hacked and having data stolen from them, this is true and they need to improve. But what do you mean the NSA has been breached? I never heard of such a thing? OPM was breached not the NSA.

          The MAIN problem with the gov’t and military cyber security is that it is split up between so many diff departments and agencies, that when one department notices a breach or malicious activity on a network, the problem is most of the time they don’t have the authority to act on it. Not even regarding the private sector, just even regarding other gov’t or military networks. Even lets say Navy cyber security can’t even act on malicious activity they see on certain navy networks.. They can’t act because their hands are tied due to poor policies and bureaucracy. They have to go through too many channels to notify the other departments etc.. ISP’s have the same problems… one hand doesn’t know what the other hand is doing.

        2. Aa

          Snowden did what he did in part because of how Obamas predecessor implemented programs that broke the law as well as the trust of the people. Just like so many other US implementations, their lasting effects have been precisely the opposite of what they wanted to achieve.

          1. Jim

            Snowden did not expose any illegal activities that’s why he’s not protected under the Whistleblower laws.

            1. SeymourB

              To be fair, the actions taken were only legal because an act of congress retroactively made them legal. At the time the acts were performed, they were completely, unabashedly, illegal.

              If AT&T and Verizon hadn’t gone along with the government, perhaps congress wouldn’t have been so quick to retroactively legalize everything. Nothing like having two of the largest campaign donors in the country being on the hook for billions to make congresscritters jump into action. They know which hands butter their bread.

    3. patti

      Well, nations are working with cybercriminals, so why would not corporations do likewise? And corporations have even less reason not to work with cybercriminals.

    4. Paul Archer

      Trump should just tell the hackers to stop and they will obey him. Believe me.

        1. Soy Tenley

          He’s going to build a really big wall to keep them out.
          Calls it a “firedwall”

    5. jo

      you would be laughing out of the other side of your stupid mouth if your card was attacked. You just love other’s mis fortune.

    6. Bard of Bumperstickers

      El Trumpo oughter make the hackers pay to build a firewall along the TrumpCo-Hackistan border.

  3. Shelby Shum

    Maybe his POS systems are obsolete for not using emv…

  4. Frank

    ….when asked about his hotels being breached twice in less that one year, Donald trump said he was going to build a wall to keep hackers out and get Mexico to pay for it…

    1. Pablo

      Trump should build a huge firewall and get China to pay for it:) China is stealing all our secrets, cloning our inventions, they are thieves and criminals, they are not sending the best like you or you, some are ok I guess but the Chinese government is sending mostly cyber spies and hackers… Hahaha.. That is something that Trump would say…

      1. Mike

        In case you don’t spend much time actually reading this website…..

        It might be something Trump would say but it isn’t far from the truth.

      2. jo

        Have you ever taken the time to realize we have leaders in our white house that don’t give a crap that america is being abused? no of course you have not, you have been to busy making fun of the folks it is happening to. Trump for president

        1. Boris

          America has been abusing the whole world for decades and you dare to complain about being abused.

        2. NotMe

          Most entertaining comments all year.
          Best recent political idea for a pin:

          We shall overcomb.

  5. scieliesz

    Maybe Trump should build a “Wall” to keep hackers out!
    This is truly a reflection of his political ambitions getting the best of him!

    1. Pablo

      …the firewall just got 10 feet taller and North Korea is going to pay for it! Hahaha

  6. Tony

    Not a hotel problem.

    Only after the device vendors are fined into near non-existence, will they properly test their devices for security. They do not care if your card gets stolen. They do care if they will be fined.

    Since the consumer has no way of knowing whether the internet of things (IOT) device is secure, we need to establish a certification agency. Devices need to be certified so that the consumer knows that the device is secure.

    Until such time, do not blame the merchants who purchased these devices. They have no clue. They are simply purchasing credit card scanners and a service from a 3rd party. This 3rd party is the one liable for selling defective equipment and software.

    It will never be fixed until it will cost them more money to not fixe them.

    1. Rick

      I don’t buy your argument: “Devices need to be certified so that the consumer knows that the device is secure.” Security is a moving target. What’s secure today may not be|probably won’t be secure tomorrow.
      Your argument might carry a little weight if the POS devices lived in a world of their own, but the minute they touch their customer’s network, the customer then assumes responsibility to THEIR customers (eg, you and me).

      1. Mike

        I might accept your argument but it isn’t their network. It’s more than likely owned by a California based company that employs six people directly and uses cloud services from another country. No one has any responsibility for any of it (not anymore). It’s all contracted out and subdivided.

        1. SeymourB

          Nah, they use the oil industry model. Everyone except upper management are contractors, so nobody working for the company does anything useful. As a result, when accidents occur, the individual contractors are liable for the actions, not the company, since the company wasn’t involved in the actions.

    2. Eric

      Security is always a moving target however. You might have something that appears to be completely secure now, and then someone will come along and find some new bug to exploit and all of a sudden the devices are no longer as secure as you thought they were.

      CEO types seem to generally regard these things as IT problems. You can couple this attitude with the trend towards outsourcing the IT to someplace overseas, and you have a recipe for disaster.

    3. Suz

      Maybe merchants should be responsible for performing extensive third party due diligence before establishing a relationship. It should be the merchants responsibility to understand what security controls are in place, and what areas are vulnerable and may require additional controls. Since these type of breaches are only growing, it’s surprising to me that so many merchants are able to stand behind the wall of ignorance.

    4. Greg Scott

      > … do not blame the merchants who purchased these devices.

      Tony, you’re wrong. Topology counts. Put those POS systems behind a barrier with a whitelist. Merchants **are** responsible for their own operations.

      I wrote a whole book about how an ad-hoc group of good guys comes together to fight some Russians who steal 40 million customer credit card numbers from a merchant. See http://www.bullseyebreach.com.

      – Greg Scott

  7. vb

    POS devices lack basic security. The hackings will not stop until the devices are improved or the POS device companies are sued into oblivion. POS devices have no way to verify data integrity. If they had the most simple of checksum to verify data integrity, they would have detected these hacked POS systems quickly.

  8. canuck

    “We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.”

    And yet a second breach happens at a company under his direct control. It’s great to point out problems, but it’s another to do so, then fail twice in one year at it.

    1. MarkW

      Hey canuck, I like that quote too – I would have taken a different second sentence:

      “We’re so obsolete in cyber…. We are frankly not being led very well in terms of the protection…”

      Slightly out of context but if the hair piece fits!

      Now, Can we just get issuers to enforce E2E encryption???

  9. JustinCredible

    “We are committed to safeguarding ALL guests’ personal information and will continue to do so vigilantly.” > So they admit that they protect terrorists’ information?

  10. Joe C

    This is a classic. Trump has boasted about being the best and this has happened twice in less than a year. Maybe he doesn’t hire the brightest minds??
    When will people realize this guy is just full of hot air

    1. Mike

      ….as if he’s the only one!

      Have you ever noticed that when our so-called leaders speak to each other, they usually sound like crying little spoiled brat children?

      1. Soy Tenley

        I’ve noticed that the people who rant about elected and non-elected officials usually sound like obnoxious know-it-all spoiled brat children. Learn to stay on topic.

  11. Joker01

    May be Trump can have Cory Lewandowski discuss this with Brian directly?

    1. KFritz

      Sounds good, but make sure the old medical and accident insurance is paid up beforehand. Or maybe Cory only strongarms female reporters!

  12. Erik

    Why must we give our credit card info to any website? I can envision a system to render that obsolete.

    Whenever we pay for something online, the merchant’s website should open the Visa/Mastercard/AmEx/Discover website in a new browser tab/window, with the merchant’s ID for this transaction and the $ amount indicated. We would log in and then confirm the payment in that window, then return to the merchant website and click a button to indicate that the payment is done. The merchant’s server would then contact a Visa/Mastercard/AmEx/Discover server to verify it’s done. Would that work?

    I’ve recently been affected by fraudulent charges on my credit card, and this isn’t the first time. I would favor online merchants who switched to this system, assuming it really proved more secure.

    1. Its Me

      I do not see how that is any more secure. Now you are going to require everyone to log onto a Visa / MC / DFS / AMEX site with their password of “Password1” and have that stolen at the terminal as well.

      Nothing is perfect and I did not see any details whether or not the Trump properties have moved to EMV or not. I somehow doubt it but will wait to see.

  13. Greg

    Surely this starts to drill home the lesson that until the “card” is smart enough to be able to check the certificate chain of the payment service provider, *and* communicate its findings to the card owner, this will keep happening. Maybe Apple Pay has a future after all?

  14. theadder

    Trump would like to punch the hackers in the mouth.

  15. JB

    If elected POTUS, Trump will personally retask the NSA to find out exacly who and where these Trump hackers are and send in ST6 to take them out. He’ll then run nationwide ads gloating all Trump establishments are new “hacker-free”. Oh, also, The Beast will be replaced with a solid gold, rocket powered Rolls Royce.

  16. nahSon

    In my best Trump voice: “You know who’s gonna pay for this breach? The hackers, that’s who? You know how they’re gonna pay? We’re gonna send them a bill, that’s how!” Sigh.

  17. JD

    Scary. The level of cluelessness is amazing. The only thing worse that I can think of is … er … running state department emails through a private email server and forcing your assistants to remove all clearance information before forwarding emails to you.
    One shows ignorance, which can be corrected.
    The other shows willful efforts to violate federal law.

    My vote: “None of the above.”

    We all know that security is hard, but most people/companies learn to handle it better after a breach. Guess Mr. Trump needs a little more help?

  18. DennisK

    This is all great fun, but I hope most of you don’t think merchants are in control here. The credit card industry took charge and hasn’t done a very good job of protecting consumers or merchants. But since we tolerate it, they continue to pursue their self interests at the expense of the rest of us. An interesting point to note is that the credit card issuers themselves are being breached, so even if the merchant doesn’t get compromised you are still in trouble.

  19. BvR

    From July, 2015
    “Update, 4:56 p.m. ET: The Trump Organization just acknowledged the issue with a brief statement from Eric Trump, executive vice president of development and acquisitions: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”
    From this article,
    ““We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.””

    Yea……uh huh. 🙁

  20. meh

    So what is his solution? Is he saying we should practice more offensive security practices? Or is he dumb enough to think he is going to change the law in hostile countries to be completely in our favor?

  21. CooloutAC

    The problem is we live in the biggest spy generation in history. Securing the pos systems to the most hardened pos system ever known to man isn’t going to help when its an inside job. When all it takes is some corrupt employee to steal his supervisors password or something.

    And lets face it nothing is ever secure enough. There will always be new holes and bugs till the end of time. The problem is we live in a society now where we teach little kids how to hack and exploit other people and tell them they are helping society by exposing their methods to the public. We actually encourage it in a live environment. Where hackers think they are allowed to hack other people because “they can” and its the “best way to learn and motivate others”.

    In the digital world its the victim who is always blamed instead of the criminal attacker and thats disturbing. That whole philosophy needs to change because we are building an evil world. Actually we aren’t building anything anymjore and thats the problem, we are just destroying. We need to learn that the digital world is not much different then the physical regarding its morals and structures.

    Its almost as if people believe we should encourage our kids how to break into peoples houses and tell them it helps society by exposing its security flaws. At the same time considering it a cool thing to do. But in reality we all know no home is robber proof no matter what house you live in. Most houses don’t even have any security after 1000s of years building them. I mean do you consider the lock on your door great security? But we fail to admit this is no different for computers in the digital world.

    The problem is not that its possible to break into a computer (which many hackers wrongly believe gives them the right to do it) its the fact most hackers always get away with it.

    I fear the only way things will change in the future, is when organizations stop relying on law enforcement to punish hackers and they start taking matters into their own hands and then we really do start living in a wild west, in both realms.

  22. ChrisB

    Let the initial disclaimer be that I live in Europe and is working inside the payment industry here.

    You are able to make (reasonably) secure systems but it is not free. Europe started down the EMV road 15 years ago. US has, until recently, had the opinion that this was too costly. You only/at most get what you pay for.

    It is not the card schemes that have been dragging their feet. It is the banks and the large chains. The technology has been available for many years, and has been implemented outside US. The card schemes has definitely been willing to do it, but their customers has not.

    EMV does not solve all problems, but it limits a lot of the Problems in the POS area, especially when you go for contactless EMV cards. EMV need not to be slow. The typical transaction time, including PIN entry, is around 8 seconds for the terminals I am working with.

    It is to me strange that chains store the customer card numbers, apparently in plain text. This is no more the case over here. In contemporary European terminals, the PAN (card number) only exists as plain text inside the card, for a short time inside the tamper resistant part of the terminal, and in the processing centre of the issuing bank. The magstripe is susceptible, but less that 0,5% of the transactions here are magstripe transaction. The card never touches the magstripe reader. Most terminals have independent magstripe and chip card readers.

    1. twocreeks

      Disclosure: CDN living in US. Maddening is the foot dragging on activating DMV tech here in Northern Virginia. Chips have been deployed for my CDN card for years and are basically universal there yet even with most pos devices now capable of accepting EMV cards it’s mainly not active. Trader Joe’s comes to mind as a merchant who DOES use this but here and in DC must be something like 90% of merchants I see are still using the mag strip, often with the chip slot taped over. My wife (American) has had her card hacked three times in a year and a half. (She does ‘way more shopping than I). I know activating chip tech is an expense but my GOD! it’s a royal pain in the ass for customers.

  23. ed Turner

    just goes to show you need to purchase the breach insurance the credit card providers offer.

  24. Jo

    How can a guy who can’t keep secure his company pretend to secure a Country?

  25. Ed

    So he attacks Apple because they want better security???

  26. TehDonald

    No, no. I must tell you, listen, Trump properties are the MOST secure on cyber. The most. I have the best people, and they’ve told me what a tremendous job we’re doing. Those guests, well if I had to speculate, released their own data in a quest for attention. What can I tell you?

  27. DaxxlaFuu

    Hate to say it but, until it’s proven, this just looks like another attempt at derailing the Trump campaign. All speculation.

  28. DaxxlaFuu

    “Banking industry sources”…YEAH…because we can totally trust them, right?! How many of those “sources” were bailed out? I’d be curious to know….

Comments are closed.