Radisson Hotel Group Confirms Loyalty Program Data Breach
Multiple news outlets are reporting that Radisson Hotel Group has suffered a data breach affecting its Radisson Rewards members. According to Business Traveler, the company told affected individuals that the breach only affected a small percentage of its rewards members and that it detected the breach on Oct. 1 and notified affected guests on Oct. 30 and 31. According to ZDNet.com, the breach occurred on Sept. 11 and less than 10 percent of Radisson's loyalty members were affected.
Radisson Hotel Group released a statement confirming the data security incident. In the statement it said that no credit card or password information was compromised. Instead, information accessed was restricted to member names, addresses, email addresses, company names, phone numbers, Radisson Rewards member numbers and frequent flyer numbers.
The hotel added that it immediately revoked access to the unauthorized persons and all affected member accounts have been secured and flagged so that the hotel can monitor them for unauthorized behavior. It also added that members should monitor their own accounts for suspicious activity and that the hackers may try to email members, claiming to be Radisson Rewards, asking for personal information such as password and user information.
“Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future,” the company noted.
Radisson Hotel Group, which is based in Brussels, will be a test for GDPR, which went into effect on May 25. GDPR requires that data breaches be reported within 72 hours. Radisson told ZDNet.com that it promptly told EU regulators of the situation. However, if it is discovered that Radisson did not comply with GDPR guidelines, they could be fined as much as 10 million euros or four percent of global turnover, whichever is more.
"Large implications of this particular incident revolve around how the EU decides to enforce GDPR," agrees Ross Rustici, senior director, intelligence services, Cybereason. "Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations."
Rustici adds that criminals will likely use the information gathered from this data breach for low incidence, criminal use cases.
"The most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high networth or people with specific access to something," he explains. "This type of information is far more useful for an intelligence targeting package than for large-scale monetization."
One reason why hackers went after the loyalty rewards program at Radisson is because most loyalty programs are a "treasure-trove" of data that is not well monitored, states Lisa Baergon, VP of Marketing, NuData Security, a Mastercard Company.
"Additionally, card members don’t necessarily pay attention until they want to use them for a free room. So, the alarm bells don’t go off soon enough, if at all. Confirming that all points of risk, not just the purchase, are fully secured will ensure the company’s environment is not a target for bad actors," she states. "Multi-layered solutions that include passive biometrics and behavioral analytics can do this seamlessly and without relying on usernames and passwords; blocking fraudulent activity inside an account before any assets are stolen.”
Biometrics as a new security precaution seems to be gaining ground among corporations and consumers.
George Avetisov, CEO of HYPR, a decentralized authentication provider, asserts that hotels should go entirely passwordless to prevent fraud, in an industry where is it quite prevalent. According to Avetisov the problem is that companies (even password managers) tend to rely on one, central server to store passwords, which are easy targets for hackers to break into. And with many of those passwords being recycled across multiple accounts, all a hacker has to do is cross reference those passwords with stolen credentials from a previous breach and use the results to carry out a larger attack.