The Washington PostDemocracy Dies in Darkness

Hackers have been stealing credit card numbers from Trump’s hotels for months

The Trump International Hotel Washington D.C. was one of 14 properties worldwide to be hit by the latest security breach. (Bill O’Leary/The Washington Post)

Guests at 14 Trump properties, including hotels in Washington, New York and Vancouver, have had their credit card information exposed, marking the third time in as many years that a months-long security breach has affected customers of the chain of luxury hotels.

The latest instance occurred between August 2016 and March 2017, according to a notice on the company’s website, and included guest names, addresses and phone numbers, as well as credit card numbers and expiration dates. The breach took place on the systems of Sabre Hospitality Solutions, a reservation booking service used by Trump Hotels, but did not compromise the Trump Hotels’ systems.

“The privacy and protection of our guests’ information is a matter we take very seriously,” the notice said, adding that Trump Hotels was notified of the breach on June 5. Trump Hotels declined to comment beyond what was posted in the notice.

Trump’s D.C. hotel is promising government and military discounts, but good luck getting them

The news of the latest cybersecurity attack comes less than a year after Trump International Hotels Management paid $50,000 in penalties to New York state for failing to notify customers immediately after earlier data breaches led to the exposure of more than 70,000 credit card numbers and 300 Social Security numbers. The company also agreed to update its security practices as a result of the settlement.

Security analysts say hotel chains — which have lagged behind many other businesses in protecting their networks — have been hit particularly hard by cyber attacks in recent years because they tend to have massive swaths of personal data and credit card information across multiple properties. Earlier this year InterContinental Hotel Group said customer credit card data had been compromised at more than 1,200 of its properties, including Holiday Inn and Crowne Plaza hotels, over a three-month period.

“Why are hackers targeting hotels? Well, because they’re a good target,” said Peter W. Singer, a senior fellow at the New America Foundation, a centrist think tank. “Then you look at Trump’s hotels, and they’re obviously a highly symbolic target.”

The hotel chain has probably become even more appealing to hackers in recent months, Singer said, because it has attracted a steady stream of Republican lawmakers, industry lobbyists and foreign dignitaries seeking to conduct business with the president.

“If more people are staying there in an attempt to curry favor with the government, the fishing pool of targets is certainly greater than it was prior to November,” he said.

Conspicuously missing from Donald Trump’s new hotel venture: His name

Attackers first infiltrated Trump hotels’ payment processing system in May 2014, and installed malware on the hotel’s networks to mine customers’ credit card information, according to an investigation cited by Eric Schneiderman, New York’s attorney general. Trump Hotels was informed of the breach in June 2015 but did not post a notice on its website until four months later, according to Schneiderman.

A second breach took place beginning in November 2015, when an attacker installed malware on 39 systems affecting five Trump hotels, according to investigators. Four months later, in March, an attacker tapped into a legacy payment system that included personal information of Trump hotel property owners, including the names and Social Security numbers of more than 300 people.

“It seems very negligent that this could happen a number of times,” said Justin Cappos, an associate professor of systems and security at New York University. “These patterns of oversight are a huge problem.”

‘The only problem is that Trump has his name on it,’ meeting planners say of hotel

In the most recent breach, less than 15 percent of daily bookings on the reservation system during the seven-month period were compromised, according to a Sabre spokesman. Other affected hotels include 11 Hard Rock Hotel & Casino properties and 21 Loews Hotels. It is not uncommon, analysts said, for breaches like these to span many months.

“These things can go undetected for several months to over a year,” said John Christly, chief information security officer for Netsurion, a network security provider. “We’re not seeing a lot of hotels focus on security the way we’d like them to, but with the proper technology, hacks like this can be stopped before they even happen.”

In May, ProPublica and Gizmodo found that a number of Trump properties, including the Mar-a-Lago resort in Palm Beach, where the president regularly spends his weekends, had less-than-secure wireless networks. “We could have hacked them in less than five minutes,” reporters at those sites wrote, “but we refrained.”

That same month, President Trump signed an executive order on cybersecurity that holds federal agency heads accountable for cybersecurity risks and breaches in their networks. “The executive branch has for too long accepted antiquated and difficult-to-defend IT,” the order said.

“We’ve seen increasing attacks from allies, adversaries, primarily nation-states, but also non-nation-state actors,” Thomas Bossert, Trump’s homeland security adviser, said in a White House briefing at the time. “Sitting by and doing nothing is no longer an option.”

Read more:

Couples are getting cold feet about weddings at Trump’s hotel

Store-brand smackdown: The country’s largest grocer is suing a rival with just 10 U.S. stores

$350 jeans are dead. $100 leggings killed them.

You can now snort chocolate — but should you?