The New York Attorney General slapped Donald Trump’s hotel chain with a $50,000 fine over a data breach the company didn’t bother to tell customers about for months after it was discovered. More than 70,000 credit card numbers and other personal information was exposed, the AG’s office announced in a press release.
In May of 2015, banks were hit with a wave of fraudulent credit card transactions. When they went looking for a common link, they found that the cards had all been used at Trump hotels in the last transaction preceding the fraud. The following month, cybersecurity experts found evidence that malware designed to steal card information had been planted about a year earlier, back in May 2014, in the computer systems of seven Trump hotels, including ones in New York, Honolulu, Miami, Las Vegas, Chicago, and Toronto.
Problem was, Trump Hotels didn’t get around to telling customers that their credit card information could have gotten into the hands of cybercrooks until September—four months after the breach was discovered.
“This delay violated New York’s General Business Law § 899-aa which requires notice to consumers ‘in the most expedient time possible and without unreasonable delay,’” the AG’s office said in a statement.
What’s more, the cybersecurity investigators urged Trump’s hotel chain to invest in more robust online security protocols, such as two-factor authentication, that do a better job of protecting customer data. They didn’t get around to doing that until this April, five months after the company was hit with a second data breach at five hotels, and a month after cybercrooks got into the network of the Trump International Hotel & Tower New York, from which they stole names and Social Security numbers of more than 300 people. “If THC [Trump Hotel Collection] had adopted this solution after the first breach, consistent with its forensic investigator’s recommendation, it may have prevented the second breach,” the AG’s statement said. The culprit or culprits who broke into the systems were never found out.
In addition to the fine, the Attorney General gave Trump’s hotels a seven-point list of steps to improve the security of customer data, including staff training, two-factor authentication for remote network access, and regularly testing the safeguards it has in place.