Privacy watchers say the breach of personal data of members of the Radisson Hotel Group’s loyalty scheme could be an interesting test case for how the GDPR will be applied.
The Radisson Hotel Group, comprising more than 1,400 hotels in more than 70 countries, has reported a breach of personal data belonging to “a small percentage” of members of its Radisson Rewards scheme.
All affected members have been notified by email, but the group has taken more than a month to report the breach after becoming aware of it, not within the 72 hours as required by the EU’s General Data Protection Regulation (GDPR). The group includes brands such as Park Plaza, Park Inn, Radisson Blu, Radisson Red, Country Inn & Suites, and Radisson Collection. Members of its loyalty scheme are highly likely to include EU citizens who are covered by the GDPR. The group is also headquartered in the EU in Brussels.
Radisson said that on 1 October it had identified a data security incident affecting Radisson Rewards members, but that no credit card information, passwords or previous hotel stays or future reservations were exposed. However, the group did not say when the breach took place nor how the hackers managed to obtain unauthorized access to the data.
Some reports indicate that the breach took place on 11 September, suggesting that its intrusion detection capability is limited. The fact that Radisson is being vague about how many people were affected has prompted speculation that the number is embarrassingly high. The group said its investigation was ongoing, but had revealed that the information exposed included names, addresses, country of residence, email addresses and, in some cases, company name, phone number, Radisson Rewards member number and frequent flyer numbers.
Upon identifying this issue, the hotel group said all unauthorized access had been blocked and all affected member accounts secured and flagged for monitoring. “While the ongoing risk to your Radisson Rewards account is low, please monitor your account for any suspicious activity,” the group told scheme members. The group also warned members that third parties may claim to be Radisson Rewards and attempt to gather personal information by deception such as using links to fake websites. “Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future,” the group said.
Ross Rustici, senior director of intelligence services at security firm Cybereason, said the breach will be an interesting test case under the GDPR, which has been in full force since 25 May 2018. “Like the British Airways breach earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” he said.
For breaching specific articles of the GDPR or if the breach is found to have infringed the organization’s obligations, the Radisson Group could be up to €10m, or 2% annual global turnover, whichever is higher. But if the breach is found to have infringed any individual’s privacy rights, the group could be liable of a fine up to €20m or 4% annual global turnover, whichever is higher.
Rustici said the breach could also be significant because the combination of address, frequent flyer numbers and Radisson rewards numbers can be useful for specific, low incidence, criminal use cases. “Unlike a large-scale credit card breach, the most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high-net worth or people with specific access to something. This type of information is far more useful for an intelligence targeting package than for large-scale monetization,” he said.
Tony Richards, group CISO and head of consulting for Falanx Group, said that because the breach appears to be due to an attacker having an authorized employee’s credentials, it will be interesting to see if these were stolen in a phishing attack or similar. “While security controls can be put in place to reduce the likelihood of a phishing attack being successful, they cannot be stopped 100% of the time. This is why it is important to use security controls like MFA [multifactor authentication],” he said.
As financial services and other highly regulated industries lock down their apps and websites, attackers are increasingly moving on to softer targets that are still “data rich” in terms of the kind of personal information that can be stolen and then monetized, observed Rusty Carter, vice-president of product management at Arxan Technologies. “The Radisson breach further highlights the hospitality industry as a target and the weaknesses of companies to identify attacks underway,” he said. “Even with legislation like GDPR, companies are not securing or quickly disclosing the loss of customer information. Consumer trust is being stressed to the limit and we may be nearing an inflection point where a dramatic consumer plus government response will have acute and long-lasting impacts on business performance.”