July 19, 2017

Maybe some of you missed this amid all the breach news recently (I know I did), but Trump International Hotels Management LLC last week announced its third credit-card data breach in the past two years. I thought it might be useful to see these events plotted on a timeline, because it suggests that virtually anyone who used a credit card at a Trump property in the past two years likely has had their card data stolen and put on sale in the cybercrime underground as a result.

On May 2, 2017, KrebsOnSecurity broke the story that travel industry giant Sabre Corp. experienced a significant breach of its payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments. Last week, Trump International Hotels disclosed the SABRE breach impacted at least 13 Trump Hotel properties between August 2016 and March 2017. Trump Hotels said it was first notified of the breach on June 5.

A timeline of Trump Hotels’ credit card woes over the past two years. Click to enlarge.

According to Verizon‘s latest annual Data Breach Investigations Report (DBIR), malware attacks on point-of-sale systems used at front desk and hotel restaurant systems “are absolutely rampant” in the hospitality sector. Accommodation was the top industry for point-of-sale intrusions in this year’s data, with 87% of breaches within that pattern.

Other hotel chains that disclosed this past week getting hit in the Sabre breach include 11 Hard Rock properties (another chain hit by multiple card breach incidents); Four Seasons Hotels and Resorts; and at least two dozen Loews Hotels in the United States and Canada.

ANALYSIS/RANT

Given its abysmal record of failing to protect customer card data, you might think the hospitality industry would be anxious to assuage guests who may already be concerned that handing over their card at the hotel check-in desk also means consigning that card to cybercrooks (e.g. at underground carding shops like Trumps Dumps).

However, so far this year I’ve been hard-pressed to find any of the major hotel chains that accept more secure chip-based cards, which are designed to make card data stolen by point-of-sale malware and skimmers much more difficult to turn into counterfeit cards. I travel quite a bit — at least twice a month — and I have yet to experience a single U.S.-based hotel in the past year asking me to dip my chip-based card as opposed to swiping it.

A carding shop that sells stolen credit cards and invokes 45's likeness and name. No word yet on whether this cybercriminal store actually sold any cards stolen from Trump Hotel properties.

A carding shop that sells stolen credit cards and invokes 45’s likeness and name. No word yet on whether this cybercriminal store actually sold any cards stolen from Trump Hotel properties.

True, chip cards alone aren’t going to solve the whole problem. Hotels and other merchants that implement the ability to process chip cards still need to ensure the data is encrypted at every step of the transaction (known as “point-to-point” or “end-to-end” encryption). Investing in technology like tokenization — which allows merchants to store a code that represents the customer’s card data instead of the card data itself — also can help companies become less of a target.

Maybe it wouldn’t be so irksome if those of us concerned about security or annoyed enough at getting our cards replaced three or four times a year due to fraud could stay at a major hotel chain in the United States and simply pay with cash. But alas, we’re talking about an industry that essentially requires customers to pay by credit card.

Well, at least I’ll continue to accrue reward points on my credit card that I can use toward future rounds of Russian roulette with the hotel’s credit card systems.

It’s bad enough that cities and states routinely levy huge taxes on lodging establishments (the idea being the tax is disproportionately paid by people who don’t vote or live in the area); now we have the industry-wide “carder tax” conveniently added to every stay.

What’s the carder tax you ask? It’s the sense of dread and the incredulous “really?” that wells up when one watches his chip card being swiped yet again at the check-out counter.

It’s the time wasted on the phone with your bank trying to sort out whether you really made all those fraudulent purchases, and then having to enter your new card number at all those sites and services where the old one was stored. It’s that awkward moment when the waiter says in front of your date or guests that your card has been declined.

If you’re brave enough to pay for everything with a debit card (bad idea), it may be the time you spend without access to cash while your bank sorts things out. It may be the aggravation of dealing with bounced checks as a result of the fraud.

I can recall a recent stay wherein right next to the credit card machine at the hotel’s front desk was a stack of various daily newspapers, one of which had a very visible headline warning of an ongoing credit card breach at the same hotel that was getting ready to swipe my card yet again (by the way, I’m still kicking myself for not snapping a selfie right then).

After I checked out of that particular hotel, I descended to the parking garage to retrieve a rental car. The garage displayed large signs everywhere warning customers that the property was not responsible for any damage or thefts that may be inflicted on vehicles parked there. I recall thinking at the time that this same hotel probably should have been required to display a similar sign over their credit card machines (actually, they all should).

“The privacy and protection of our guests’ information is a matter we take very seriously.” This is from boilerplate text found in both the Trump Hotels and Loews Hotel statements. It sounds nice. Too bad it’s all hogwash. Once again, the timeline above speaks far more about the hospitality industry’s attitudes on credit card security than any platitudes offered in these all-too-common breach notifications.

Further reading:

Banks: Card Breach at Trump Hotel Properties
Trump Hotel Collection Confirms Card Breach
Sources: Trump Hotels Breached Again
Trump Hotels Settles Over Data Breach: To Pay $50,000 for 70,000 Stolen Cards
Breach at Sabre Corp.’s Hospitality Unit


69 thoughts on “Trump Hotels Hit By 3rd Card Breach in 2 Years

  1. Denis Seguin

    What about having an extra credit card dedicated solely for hotel stays?

  2. DelilahtheSober

    Could this security breach have anything to do with the completely archaic command-line interface that both SABRE and APOLLO use? My computer experience goes back as far as DOS and Compuserve, and I’ve worked for several years in the travel industry. The only class I absolutely couldn’t pass to save my life was a SABRE course – I’ve never seen anything so archaic and backwoods in my life.

  3. Ifightspam

    Hey Brian,

    How about using throw away cards? You get some that are connected to your bank account but the ones where you load that aren’t connected in my view are best. They are like debit cards. I am certain money exchange businesses offer them at some cost to the consumers as it isn’t entirely “free”.

  4. Brian Lockhart

    I’ve given up and fallen back to using a different risk management and mitigation approach.

    I used to put *all* monthly purchases on a single card, trying to maximize the benefits for that card (mileage points). All recurring automatic charges, plus all daily spending. One card to rule them all.

    But after having that card get compromised 3 times in the last 18 months (with all the resulting hassles you mention above) I’ve decided to just accept reality and assume that any time I hand my card to someone or swipe / insert it into a machine? It’s a goner, and I should be prepared to have that card # changed.

    So now I use 3 cards.

    1 card that is ONLY used for recurring online bills. i.e. places where I enter the card # on a website and trust that it’ll handle the automated charges. (In my case, I’ve been lucky and have yet to see my card get compromised after a breach from one of these services like Spotify, iTunes, Uber, Lyft, etc.) But having to go through and change my billing info for all those services I use? Major pain in the rear.

    1 card that is my “sacrificial lamb” that I carry with me in my wallet, and use for all daily purchases, including travel. This (in my experience) is where I’m far more likely to get my card compromised. So I accept that risk, but limit the potential hassle / damage it’ll cause when it inevitably happens. Because now, I just get a new card in the mail but do NOT have to go through and change all my billing info at all these services I use – see above for that card.

    I also carry a 3rd card in my wallet to serve as a backup for when the “sacrificial lamb” card gets compromised and shut down by the bank – it’s my “spare” to use only when the primary gets taken out.

    Sad it’s come to this, but at least this way I diversify my risk a bit.

    1. vb

      I use this same method. First card for only recurring charges. Second card for the wallet. Third card for on-line purchases, and backup for the second card.

      I have never had to replace my first card and update my recurring charges since I started using this system. My second and third cards have been replaced as needed.

    2. Clint Davis

      Have you tried a service that allows you to generate a unique account number for each merchant? I haven’t yet, but I’m seriously considering it. Anyone have thoughts on https://getfinal.com/? I’m not affiliated with them in any way – just stumbled across the site last week.

      1. vb

        Thanks for this link. My old credit card offered one-time credit card numbers like this, but they stopped and I have not seen anything like it since.

        This will be great for subscriptions. It seems like every time that I cancel a subscription, they charge me one more time, hoping I won’t fight it. With Final, once the card number is canceled, no more charges are possible.

        1. Linda

          To avoid being charged for magazine subscriptions you may not want, when you sign up in the beginning make sure to tell the company that you want to renew yourself and do not want automatic renewal.
          You can avoid this by paying for check from the start.

      2. GS

        I use Citi Bank for this (virtual account numbers). They are pretty flexible, but sometimes the number is declined. In addition, the virtual number is only good online.

  5. B_Brodie

    I’m curious, does the fault lie with SABRE for shoddy security practices (and why hasn’t their PCI compliance audit issued a failing mark and penalized them) or with the hotel itself for not implementing chip and signature / pin?

    1. Wayne

      I agree, I was thinking that a more accurate headline is: “SABRE Card Breach”. The merchant is only going to do what the transaction processor requires, nothing more. There is still enough blame for everyone involved, but I lean toward the processor that implements poor security practices.

      1. Greg Hewitt-Long

        This is purely a click-bait headline – and it worked. This is the ONLY Krebs headline I’ve seen shared by certain IT colleagues who are RABID anti-trumpers in the last year.

        It smacks of gutter journalism – to focus on the 0.04% of hotels affected for the click value. Quite sad really, I expected better of Mr Krebs.

    2. Christoph

      What makes you so sure SABRE ever had a PCI audit? Since they are not a merchant, Payment Service Provider or anyone else with a contractual relationship with any bank (issuer or acquirer) or card scheme?
      And there lies the problem.

      1. Anonymous

        Christoph,
        anyone sharing credit card data with another company, they are required to ensure that company is PCI compliant. doesnt matter if that company is in the credit card transaction process or not. just like companies like Experian, Equifax, TransUnion, they have credit card data, but no direction relationship with a bank on those cards. But the banks sharing data with them require them to be PCI compliant

    3. JRGdeCT

      I agree. Lots of hotel companies were included in this issue. The breach occurred before the card data was handed to the hotel reservations systems. As such, how is this a hotel issue? Hotels take a lot of grief in this, but in this case, the hotels are telling guests they may be at risk since Sabre is refusing to do it. In my opinion, Sabre is not following PII laws as they should be the ones issuing the notices. Not the hotel companies.

  6. Ollie Jones

    Hate to be cynical, but we live in a world where a bad reputation is an asset rather than a liability.

  7. Anonymous

    The chip adds little to no extra protection as long as they are not using E2EE or P2PE. The chip gives the same data to the POS as the track data, which if it can be captured provides everything needed to create either a track only card or execute card not present.

    Yes, it makes it harder to counterfeit a card that you can use at merchants that do EMV since without the chip it cannot create the “on-the-fly” CVV, however for merchants that lack EMV, scraping the EMV data is plenty to create usable fraudulent cards.

    EMV was an expensive band-aid that doesn’t substitute for E2EE or P2PE. It has nominal value, particularly without the PIN enabled. It provides more protection for the banks than it does either consumers or retailers.

    This comment represents my own personal opinion and not that of my employer.

    1. tmiw

      Good luck trying to get the CVV2 from the chip. (Yes, I know some online stores don’t need it, but I expect that’ll become much less common over time.) That leaves PAN and expiration, which unless someone finds a non-destructive way to clone the chip (also probably unlikely any time soon) or manages to convince a cashier to allow them to manually enter the card details (which I suspect will involve requiring CVV2 at some point as well, if not become rare to impossible altogether), isn’t that useful.

      Of course, all that requires the vast majority of stores to actually read the chip. Who knows when that’ll happen?

  8. Nobby Nobbs

    Ha! Now we see the diplomatic downside of using your own properties for US functions. I wonder if the Japanese Prime Minister has had to get a new credit card recently?
    Thanks again, Brian!

  9. Jim

    Why should hotels care? They know people will always travel and will need a place to stay. They know a hotel stay is not really a cash transaction business. And they know they are not going to be held liable for any losses. There is no disincentive for a hotel chain to spend any money on their credit card systems. And that’s sad, because the small local banks and credit unions often carry the burden of losses or costs associated with card replacements.

    1. Robert.Walter

      Under the EMV liability shift, merchants are liable for fraud if customer pays with an EMV card but is forced to swipe because merchant hasn’t upgraded from a magnetic swipe terminal.

      1. vb

        The liability shift does not effect the merchant who facilitate stolen credit cards, only the merchant who accepts stolen credit cards.

        The hotels do care in the fact that they get bad publicity for a breach, but since it’s so common there is currently little negative effect.

  10. George S

    Would the ability to use Apple Pay or similar be even more secure than chip-based card acceptance? Not that this is likely to be implemented either.

    1. Anonymous

      Apple Pay uses First Data Transarmor which is an E2EE solution, so yes, it is far more secure than straight EMV without E2EE or P2PE.

      1. Joaquin Tall

        Anonymous said,

        “Apple Pay uses First Data Transarmor which is an E2EE solution, so yes, it is far more secure than straight EMV without E2EE or P2PE.”

        Those of us in the senior living facility want to ask a question. How can we tell which POS vendor has the E2EE or P2EE that you are touting?

        Many thanks for taking the time to respond!

  11. Tony

    Cash is king. Plastic is…. well…. uhm… its just a piece of plastic!

    1. timeless

      In a lot of countries, cash is plastic (well, polymers)

  12. TokenizedPaymentNow

    Marriott is one chain that accepts ApplePay, which tokenizes the card info.

    1. tmiw

      Marriott hasn’t really rolled it out much beyond their pilot hotels in my experience. Most of the time they just use the card number in my profile and don’t bother swiping, even.

  13. Tom W

    EMV is a fraud as a fraud prevention mechanism. It was designed 20 years to help have authorizations when communication to the merchant service was unavailable. It was never designed to prevent fraud. It marginally works until the criminals refine their ability to clone the chip and I understand they are close. P2Pe is a better deterrent but the whole credit card industry has to be overhauled to get rid of the overhead they place on the economy.

    This comment represents my own personal opinion and not that of my employer.

      1. tmiw

        There have been some (like Chipotle) that have flat out said that they’ll never adopt EMV. Of course, we’ve seen where that got them.

    1. tmiw

      Apparently it has some value because there were banks in Europe that flat out auto-declined charges from the US pre-liability shift without having to jump through hoops.

      Also, citation please on being close to cloning the chip.

  14. IRS iTunes Card

    “You’re Fired ” That’s all I have to say

  15. Robert.Walter

    Once is accident.

    Twice is incompetence.

    Three times is deliberate and criminal.

    The sooner this horror president and his criminal mob are in federal prison the better.

    1. somguy

      Yawn. He has no direct involvement with any of this.

      There’s a lot of legit concerns with him, far better to focus on those than a red herring like “ZOMG hotels getting breached left and right, IMPEACH”

      I do think there should be a serious firing cycle at the hotels management though, whoever is responsible for not adequately protecting things.

      1. Robert.Walter

        “Hire me, I’m a great businessman, I only hire the best!”

        No direct role? Tone at the top is the most important item in shaping the culture at a company.

      1. Robert.Walter

        Snowflake meme, really? Please retire from the conversation to contemplate that glaciers and avalanches are composed of snowflakes.

  16. tmiw

    I’ve heard that at least some Starwood and Hilton hotels can do EMV now, actually. And I went to a FairBridge Inn in Idaho recently that was inserting cards on a standalone terminal, too. (I prepaid for the room online so I didn’t get a chance to use the chip that trip.)

    Anyway, I have a theory that chip vs. swipe vs. tap eventually won’t matter too much with the way technology is going. Lots of people use Uber and Lyft, for example, not to mention everyone who orders their food or drink ahead using e.g. Starbucks’ app or Amazon’s upcoming cashierless stores. Apple and Google encouraging more app/website integration will help significantly by not requiring that we store our card data with every retailer we buy stuff from.

    1. Robert.Walter

      I use Apple Pay every chance I get so does my 84yo mom and younger sister. Of course there are retailers that don’t yet do chip in the USA, let alone NFC payments so there is still some unavoidable exposure. (Except for me as where I live in Europe all have taken EMV for years and a large number support NFC payments as well.)

      Mom and sis both have a SkyMiles Amex and costco Citi Visa cards (mom also has a Citi MC but this sits in her safe.) All monthly accounts that can be paid on the cards are. They don’t use debit or ATM cards (haven’t used in so long the CU cancelled them).

      My having everything set up in my Mac makes changes easy. Mom forgot her visa at Kroger. We called Visa and they cancelled the card, sent a new one two days later and 25 min after call sent her a text letting her know they had remotely updated her Apple Pay info and could use it even before the new card arrived. I was able to change the half dozen or so auto bill accounts in under a half hour.

      1. tmiw

        My point really is that I don’t think NFC will ever get all that much use in the US–except possibly as a backup when traveling. Even then people might very well just use the chip instead, especially since by then most stores will likely have significantly optimized their implementations and/or implemented Visa’s Quick Chip. Retailers trying to get rid of the cashier altogether will do far more to save people’s time (and the retailers’ bottom lines) than tapping, not to mention improving customer loyalty by keeping them using their own apps. I’m not sure security matters all that much to most either due to the banks’ zero liability policies.

        The question now is whether Apple and Google can stay ahead of the trend. If not, we’ll all end up having separate accounts for every store we frequently go to and having to hope that stores don’t skimp out on PCI compliance and general security.

  17. Ben Reed

    I went to a Hilton in San Francisco during RSA. All credit card machines were asking for chip, however their POS systems could not accept this yet. So they were having everyone put their CC in backwards, which would force the Verifone system to ask you to swipe your card instead of using the chip. After swiping them everything worked…..

  18. Nick

    Hi This is a problem unique to the USA because they do not have chip and pin. Cardholder present transaction fraud is virtually non-existent in Europe and there is definitely no need for “end to end” encryption this is an American misconception of how chip and pin works.

  19. David

    Trivial, naive and misleading. If the US had gone with EMV in the early part of this century rather than bleat on for the last 15 years about how mag stripe is just as secure, we wouldn’t be seeing this. You don’t need P2PE, you don’t need E2EE, and the chip allows secure transactions over insecure networks, and the cards can’t be cloned. The US decision to stick with magstripe has driven the world down the path of PCI-DSS (not needed with EMV) which has cost orders of magnitude MORE than it would have cost to implement chip in the transactional 3rd world that is the US. Whilst the reasoning behind this colossal waste of money should be obvious to anyone that understands card payments, none of the card schemes can admit it as then they would open themselves up to law suites from many of the organisations that were forced to implement the nonsense associated with PCI-DSS. The US is suffering from fraud that has been virtually eliminated across the rest of the world.

    1. vb

      ” The PCI-DSS system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines are profitable to them.”

      1. Greg Hewitt-Long

        ^^^- This. PCI fines and penalties are a tax on small businesses – nothing more.

        The trouble is the $20-30 per month isn’t enough of a pain point for most businesses to take the time or to pay someone to do it for them.

        Implement tokenized payments where possible and download a blank PCI Compliance plan – take the time to complete it and send that puppy in to your bank/processor.

  20. Drone

    They don’t care…

    The cost associated with a breach is passed right along to the customer base, and all large retail merchants get breached – often. (You just never hear about it in almost all cases.) As a result, there’s no competitive advantage to being more diligent when it comes to security. In the end, they look at a breach as a recurring minor inconvenience; and more and more consumers are just accepting that their cards will be compromised sooner or later.

    The fix…

    There is only one way to immediately stop the complacency when it comes to consumer credit security: Rescind the laws that in-essence indemnify consumers against loss in cases of card system fraud. (In-reality consumers are not indemnified, the losses are just spread out amongst all card users, who as a whole end up paying anyway.)

    Once that happens, you watch just how fast the card companies will secure their systems! If they don’t, nobody will even touch one of their cards.

    In the very few cases of fraud that follow after the change, consumers will still have recourse against the card companies through the Courts – provided accompanying laws are passed banning one-sided forced arbitration rules, and the removal of any shields protecting the card companies against class-actions; practices that never should have been permitted in the first place.

    But alas, the passing of meaningful laws requires a functional and accountable Government largely free of corruption – something that clearly doesn’t exist today in the United States of America.

  21. Adrian Thornton

    The credit card companies can’t be that bothered about the associated cost of card fraud or they’d do something about it.

    1. BrianKrebs Post author

      You’re right that the credit card companies don’t really have a vested interest in stopping fraud, but it’s important to understand that at least with Visa and Mastercard, the banks are the ones who issue the cards, not Visa and MC. When there’s a loss that can’t be blamed on a retail breach, the banks that issued the card usually end up eating the cost.

      1. Drone

        “When there’s a loss that can’t be blamed on a retail breach, the banks that issued the card usually end up eating the cost.”

        No.

        In the end, the cost of credit card fraud gets passed on to the card holders. Card companies, banks, their insurers, the insurer’s re-insurers, all of them never “eat” anything in the end. The cost is ultimately passed on to the consumer – one way or another. You pay!

        The FIRST step to really putting a stop to negligent security practices in the consumer credit industry is to hold the card companies accountable under the law. That’s not happening today.

  22. btclover

    Bitcoin is King! Not cash not plastic! I use bitcoins daily bases and im in love with btc!!

  23. Mike

    Brian, do you have any contacts at major hotel chains by now, it would be interesting if one could be convinced to roll out chip enabled card readers for all hotels and franchisees with the reward of free promotion from Brian Krebs and other security experts. The financial loss and risk do not seem to be enough, but how much do they spend on marketing? Red Jacket Resorts is one chain that uses chip readers but has like 5 hotels.

    Similar thought occurred to me when I found out the IRS has had a program since 2011 encouraging banks to verify identities of tax refund deposit recipients but only a handful of banks participate, meanwhile we lose tens of billions of dollars as a nation, so they save a buck. Unfortunately, Congress is useless so free publicity is all I can think of as a way to encourage people although I still keep asking my local Congressman as well.

  24. Jim

    Very interesting article. As the research paper listed, there are still problems upcoming. With the advances in computing power and smaller multifunctional chips coming, would bet on, counterprogramming to occur. With NFC, injection programming has been demonstrated in the past. That was years ago, Oregon or Idaho university. Capturing the NFC data was demonstrated in the mid 90’s. Capturing machine data, even prior to that. Considering this, do those programs leave tracks in your device memory? I would say yes, they are waiting for a signal, supplied. The app countersigns, and the transaction initiates and completed the transaction requested. NFC at the time was only good for up to sixty foot, modern antennas, modern processors, who knows now. But have seen reports of a quarter mile.
    The new cards and pin’s, yes, cover the pin pad, and don’t be obvious, but, the pad puts out a signal. Otherwise the computer the computer would read garbage. GIGO. And refuse to initiate. The old oh, not enough left on that card substitute use different card trick. Oh, shucks, that was warned about, way back when wards was still open, about rebooting machines then. Durn long time ago. That was SQL injection attacks then, and, have the vectors of the attack changed? No, they still want the money you have. Has the security gotten better? Hope so. Would I bet on it?

  25. Pete

    Everyone has a method to minimize their risk. Part of that mitigation strategy is using reputable banks for the cards and having a use-pattern that minimizes hassles.
    a) Daily use card. Only in the USA, but basically for everything over $35. It is tied to FF program.
    b) International only card. Only used OUTSIDE the USA. It was chip-n-pin until my bank screwed me over and converted to chip-n-signature. They refused to go back. Before it was chip-n-anything, it was compromised on a trip at some point. 6 months later, it was used the same day in New York City and Miami to buy a iPhone and $500 in i-store pre-paid cards. Apple called within 24 hrs to ask about it. They handled everything. I called the bank and they handled it immediately, issued a new card. ZERO hassle. I’ve never bought anything from apple – ever.
    c) Backup card. This gets used about 5 times a year – usually for gas purchases at sketchy places where I don’t want to risk the daily-use card.

    I don’t have a debit card. Still use an ATM. It works everywhere I’ve been in the world – 5 continents. 1st world and 3rd world. Just look for a Citi or HSBC ATM. Have been screwed by fees in BKK (Bank of Thailand), but my bank paid those. Had 1 ATM in Kathmandu refuse the ATM card. Crossed the street and used a different machine.

    I don’t use CC for purchases under $35.

    My bank account tied to the ATM card doesn’t usually have more than $2-$3K in it for more than a day or 2 after each payday. Money gets moved out quickly into safer accounts.

    My credit cards are for convenience only. No balance kept. Paid in full monthly. They are with different, unrelated, financial institutions too. Saw a relative get screwed on a trip because his wife lost 1 credit card. She called the bank and they cancelled all the cards tied to their joint accounts – even though 3 of them were not lost. Bumbling bankers.

    Just be certain that whatever steps you take reflect the true risk profile for your financial life.

    Put a credit lock on your credit reports if there was ever any release of data (which has happened to pretty much everyone in the USA by now).

    And check your 3 credit reports as often as legally allowed by your state. Calendar reminders help with this stuff. Takes 10 minutes on the phone to get them snail-mailed to you.

    1. Greg Hewitt-Long

      This is a very good strategy for those that can apply it.

  26. Greg Hewitt-Long

    There are 32,000 hotels + accommodations in this breach – and the article focuses on Trump Hotels – a total of 13 affected (out of 23 worldwide).

    So you focus on the 0.04% of hotels that get the clicks eh? How many of us are likely to have stayed at a Trump property? Compare that to the number that could have stayed at the other 99.96% of properties and you went for the 0.04%… hmm.

  27. Terri

    I am the IT Director at a hotel and we are in the process of rolling out chip and pin readers. I feel the majority of the reasons other hotels don’t do it is the extreme level of effort and cost. Changes to the software, changes to processes, and training. In general, hospitality is not a fan of change. One of the bigger stumbling blocks is with the service providers: Getting resources from the software companies, the people that have to support the technology aren’t ready, and the devices are inconsistent in their performance. IT and and the business need to drive this together. Often with security, IT sees the need but can’t articulate the risk enough for the business to spend the money to do it. Until IT / Security and the Business align we will continue to struggle with breaches, data management and overall security.

Comments are closed.