Cybersecurity journalist Brian Krebs, citing several banking sources, reported on his blog on Friday 25 September 2015 that a pattern of fraud has been detected involving credit cards that had been used at point-of-sale registers in gift shops and restaurants at “a large number of Hilton Hotel and franchise properties.”
In a statement to NBC News, on Friday 25 September 2015 afternoon, a Hilton Worldwide spokesperson said he was aware of the report.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace,” the statement said. “We take any potential issue very seriously, and we are looking into this matter.”
Yesterday, 24 November 2015, Hilton Hotels and Resorts reported on his Site that some of its point-of-sale devices were compromised, some potentially as far back as November 2014.
“We have determined that the payment card information may have included cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs)”.
However, the exposed data could enable attackers to create fake cards and make purchases online, by phone or mail order!
As a precautionary measure, the hotel group advised customers to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel between 18 November and 5 December 2014, and between 21 April and 27 July 2015.
If I compare this case to the new European Privacy Regulation on the date breach disclosure, I think some weaknesses catch the eye:
– They spent more then 72 hours between the discovery of data breach and the disclosures to customers
– The data breach lasted more than a year and was discovered by third parties; therefore the measures in place were not sufficient
– The disclosure did not indicate the measures implemented for the data protection nor those taken to reduce the damage
… and maybe there are others weaknesses but these are enough!