Radisson Hotel Group has confirmed a data breach that exposed the personal details of “small percentage” of its Radisson Reward member’s scheme.
The hotel identified the breach on 1 October 2018. In a statement, the hotel group said that the data breach “did not compromise any credit card or password information”.
Information accessed by hackers was restricted to the names, addresses, country of residence and email addresses. In “some cases” company name, phone number, Radisson Rewards member number and frequent flyer numbers were also compromised.
The hotel chain said that it “identified” the hack on 1 October, which occurred on 11 September. However, they did not inform Radisson Rewards members until the 30 October.
It is unclear if they informed the UK’s data watchdog, the Information Commissioner’s Office. Under Europe’s General Data Protection Regulation (GDPR), an organisation has 72 hours to inform the relevant data protection body.
Rusty Carter, VP of product management at cybersecurity company Arxan Technologies, said that not all companies are taking note of GDPR.
“Even with legislation like GDPR, companies are not securing or quickly disclosing the loss of customer information,” he said.
“Consumer trust is being stressed to the limit and we may be nearing an inflection point where a dramatic consumer plus government response will have acute and long-lasting impacts on business performance.”
In the statement, Radisson Rewards said that it “takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future.”
It is unknown who was behind the attack or how they gained access. The hospitality group warned those affected to look out for phishing attacks, in which bad actors use personal details to pose as a reputable organisation to solicit more details.
Radisson Hotel hack: Hospitality sector being targetted?
It is not the only hospitality cyberattack this year. In June, cybercriminals stole information of a similar nature to the Radisson Hotel hack from hotel booking service FastBooking.
In August, holiday and leisure firm Butlins confirmed that it had been subject to a hack affecting the records of an estimated 34,000 customers. More historically, a number of Hilton Hotels customers had their personal and payment details compromised in 2015.
Carter believes that the hospitality sector is actively being targetted by criminals.
“As financial services and other highly regulated industries lock down their apps and websites, attackers are increasingly moving on to softer targets that are still ‘data rich’ in terms of the kind of personal information that can be stolen and then monetised,” he said.
“The Radisson breach further highlights the hospitality industry as a target and the weaknesses of companies to identify attacks underway.”
The Radisson Hotel hack was first reported by Business Traveller, after a Radisson Rewards customer informed the publication of an email he received alerting him that his details had been compromised.