Donald Trump’s chain of luxury hotels has agreed, this week, to pay upwards of $50,000 in penalties after failing to notify customers, in a timely fashion, of two separate data breaches that compromised in excess of 70,000 credit card numbers, as well as other crucial personal data.
The Trump Hotel Collection is a chain of high-end (boutique) owned by Republican presidential nominee, and his three adult children, through The Trump Organization, which is the primary holding company for the well-known real-estate developer’s various business ventures.
According to the office of the New York Attorney General, the Trump Hotel Collection will must now adopt new security measures to include implementing certain safeguards as well as annual training for its employees. This is all under the terms of the settlement as described by NYC AG Eric T. Schneiderman.
In a statement, Mr. Schneiderman notes, “It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law. Consumers personal information are all too often exposed to wrong-doers with ill-intent. We will continue working to help protect hardworking New Yorkers from all forms of identity theft.”
The settlement, which was announced on Friday, relates specifically to specific data breaches the chain suffered between 2014 and 2016. The first breach happened on May 19, 2014, when an attacker managed to gain unauthorized access to an administrative account with the Trump Hotel Collection’s payment processing system and used this vulnerability to deploy malware designed to specifically to steal credit card data throughout the chain’s computer network.
Furthermore, the Attorney general said that the initial incident actually went completely unnoticed for an entire year, at which point multiple banks reported the discovery of “hundreds of fraudulent credit card transactions” on accounts whose last legitimate transactions had been through a Trump hotel.
While the banks reported the discovery, cardholders affected by the breach remained unaware until the Trump Hotel chain posted a notice on its website four months after learning about it. This is a violation of state business law which requires victims of such hacks to be notified “in the most expedient time possible and without unreasonable delay.”
So now, in addition to this fine, the hotel chain has also agreed to install several new safeguards to ensure customer information remains secure.