Radisson Hotel Group reveals breach of rewards site

Details exposed of loyalty card members.

Radisson Hotel Group reveals hack of rewards site

If you’ve stayed in one of the over 1400 hotels in 70 countries that make up the Radisson Hotel Group, you could be in for a rude awakening.

The hotel chain - which includes brands like Park Plaza, Park Inn, Radisson Blu, Radisson Red, Country Inn & Suites, and Radisson Collection - has announced that it has suffered what it euphemistically describes as a “data security incident” (but you and I might possibly call a “hack”) impacting “a small percentage” of members of its loyalty and rewards scheme.

Fortunately, no passwords or financial information was exposed. So that’s some good news.

Radisson Hotel Group reveals hack of rewards site

However, a few things do still jump to my attention.

One is that Radisson isn’t saying how many of its Rewards members were affected. The most they’re currently prepared to do is describe it as a “small percentage”. My guess is that they’re doing that in the belief that giving a number might only add fuel to the fire.

Secondly, it’s disappointing that there’s no indication of how the breach might have occurred. Was there a vulnerability on the Radisson Rewards website that has now been fixed? Were some accounts compromised because the hackers were able to break in using credentials that perhaps they scooped up in an earlier attack against a different website? We don’t know, because Radisson isn’t sharing any details.

Third, when did the breach occur and how long has it taken to inform exposed customers?

The hotel chain says it that it discovered on October 1st that personal information about Radisson Rewards members, including their names, physical addresses, countries of residence, email addresses, company names, telephone numbers, frequent flyer numbers, and Radisson Rewards numbers had been compromised during the breach.

However, it took until October 30th and October 31st for Radisson Hotel Group to inform affected customers, and -according to reports - the breach itself occurred on September 11th.

One wonders what held up the hotel’s disclosure of the security breach between the start and end of October.

While we’re waiting for an answer to that one, Radisson Rewards members would be wise to keep an eye open for any attempts by scammers to use phishing emails or unsolicited phone calls luring them into clicking on links, or sharing further personal information.

Even if you’ve never stayed at a hotel owned by the Radisson group this is still a case that should be watched with interest. In all likelihood, Radisson’s “small percentage” of affected customers will include Europeans, which will mean that the hotel chain’s breach will fall under GDPR regulation.

If the-powers-that-be investigate the breach and determine that Radisson’s security was lax, it could be fined up to 10 million euros or 4% of its annual global turnover (whichever is higher.)

Ouch.

Tags: , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.