Trump Hotel Collection Must Pay $50K In Penalties And Reform Data Security Practices Following Two Separate Breaches; Schneiderman: We Will Keep Working To Protect New Yorkers From All Forms Of Identity Theft
In late May 2015, multiple banks analyzed hundreds of fraudulent credit card transactions and determined that THC was the last merchant where a legitimate transaction took place. This is known as a “common point of purchase” (“CPP”) and suggests that THC was the target of a cyber-attack resulting in a compromise of credit card information. By June 10, 2015, a preliminary forensic investigation confirmed the existence of credit card targeting malware at multiple THC locations, including in the computer networks associated with New York, Las Vegas and Chicago hotels. Further investigation revealed that on May 19, 2014, an attacker infiltrated THC’s payment processing system by accessing an administrative account in the primary domain controller using legitimate domain administrator credentials. Using this unauthorized access, the attacker deployed malware designed to steal credit card information across the THC computer network and credit card processing environment.
Despite its knowledge as early as June 2015 that multiple properties had been infiltrated with malware designed to steal credit card numbers, and that banks had analyzed multiple fraudulent transactions and identified THC as a CPP, THC did not provide notice to its customers until close to four (4) months later, on September 25, 2015, when it placed a notice on its website about the data security breach. This delay violated New York’s General Business Law § 899-aa which requires notice to consumers “in the most expedient time possible and without unreasonable delay.”
The following THC properties were infected with malware designed to steal credit card numbers and related information:
- Trump SoHo New York – 246 Spring Street, New York, NY 10013;
- Trump National Doral – 4400 N.W. 87th Avenue, Miami, FL 33178;
- Trump International New York – One Central Park West, New York, NY 10023;
- Trump International Chicago – 401 N. Wabash Avenue, Chicago, IL 60611;
- Trump International Waikiki – 223 Saratoga Road, Honolulu, HI 96815;
- Trump International Hotel & Tower Las Vegas – 2000 Fashion Show Drive, Las Vegas, NV 89109; and
- Trump International Toronto – 325 Bay Street, Toronto, Ontario, Canada M5H 4G3.
On March 30, 2016, THC received additional CPP reports from its payment processors about a second breach. Another forensic investigation revealed that THC experienced a second breach where an attacker gained unauthorized access on November 10, 2015. The attacker installed credit card harvesting malware on 39 systems affecting five hotel properties including Trump SoHo New York located at 246 Spring Street, New York, NY 10013. The forensic investigation also discovered that on March 21, 2016 the attacker also connected to a legacy payment system on the network of the Trump International Hotel & Tower New York which included personal information of THC property owners including the names and social security numbers of approximately 302 people, 44 of whom live in New York. THC provided consumer notification to these affected individuals on June 10, 2016.
The final forensic investigation report of the first breach recommended that THC adopt additional security precautions including “two-factor authentication” for remote access to the THC network, which is an extra layer of security that requires not only a username/password but additional information that only the user will know, e.g., a random number from a physical token. However, it was not until April 4, 2016 that THC adopted this solution. If THC had adopted this solution after the first breach, consistent with its forensic investigator’s recommendation, it may have prevented the second breach.
The settlement requires THC to maintain reasonable security policies and procedures designed to protect consumer personal information including:
- Designation of an employee or employees to coordinate and supervise THC’s program designed to protect the privacy and security of personal information;
- Annual employee training to at a minimum inform employees who are responsible for handling personal information about data security, the importance of consumer privacy and their duty to help maintain its integrity;
- Responding to events involving unauthorized acquisition, access, use or disclosure of personal information including training all staff who are responsible for inputting, entering, maintaining, storing or transferring personal information on data breach notification law;
- Identifying material risks to the security and confidentiality of personal information that are reasonably likely to result in the unauthorized disclosure of such information, including through the regular review of security industry news sources for newly identified security vulnerabilities;
- Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of two-factor authentication for remote access to computer systems;
- Regular testing of the effectiveness of the safeguard’s key controls, systems, and procedures, including through reasonable and appropriate software security testing; and
- Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement and requiring service providers by contract to implement and maintain appropriate safeguards.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Resident Technologist Marc Kowtko, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.