[BreachExchange] American Express, Mastercard fine Rosen Hotel in data breach, lawsuit says

Wed Mar 29 18:50:45 EDT 2017

*http://www.orlandosentinel.com/business/brinkmann-on-business/os-rosen-hotels-data-breach-20170329-story.html
<http://www.orlandosentinel.com/business/brinkmann-on-business/os-rosen-hotels-data-breach-20170329-story.html>*

*An insurance company for Rosen Hotels & Resorts has filed a lawsuit
claiming Rosen is not covered for more than $2.4 million in damages related
to a data breach announced last year.*

And the costs could be more than that, if Rosen faces legal claims from
customers, according to the lawsuit.

The lawsuit filed by St. Paul Fire & Marine Insurance Co. offers explicit
details about the high cost of data breaches, particularly with a long-term
data breach. The hotel company warned its customers in March 2016 that its
payment data “may have been” breached
<http://www.orlandosentinel.com/business/brinkmann-on-business/os-rosen-hotels-data-breach-20160308-post.html>
 by malware programs about 18 months earlier.

Rosen allegedly was slapped with $1 million fines from Visa and Mastercard
each; $128,830 fine from American Express; $50,000 in attorneys' fees;
$15,000 in fees to a crisis-management firm; $40,000 in costs to send
notifications to clients; and a bill for $150,000 to a data forensics team
that identified the breach.

According to the insurance lawsuit filed Monday in Orlando federal court
against Rosen’s sister company Rosen Millennium Technology Group, Rosen’s
costs could keep going up, if individuals affected by the data breach file
additional claims. Several attempts to reach Rosen’s spokeswoman about
additional questions were not successful.

A report sponsored by IBM last year said that the average total cost of a
data breach, worldwide, is about $4 million.

The length of time in which Rosen’s breach occurred drew attention. In
March 2016, a writer on DataBreaches.net said of the Rosen breach: “Having
to disclose a breach to your customers … and a breach that began in 2014
and continued until recently … is not a task I’d relish.”

The technology company, which also includes hotel founder Harris Rosen as
chairman and president along with other Rosen Hotels executives, shares an
address with Rosen Shingle Creek
<http://www.orlandosentinel.com/topic/business/tourism-leisure-industry/hotel-accommodation-industry/rosen-hotels-%26-resorts-ORCRP0017745-topic.html>
 resort. The data breach occurred at Rosen Hotels and was announced by
Rosen Hotels.

Any detailed information about the cost of a data breach can be a
cautionary tale to other companies, said payment industry consultant Allen
Weinberg.

“The fines are usually related to the cards that were compromised. I
believe the proceeds are used in part to compensate the banks and issuers
to re-issue cards.

“All these companies dread data breaches. They have to hire outside help.
It’s a big headache,” Weinberg said. “The fines are usually related to the
cards that were compromised. I believe the proceeds are used in part to
compensate the banks and issuers to re-issue cards.”

St. Paul Fire & Marine is seeking a judge’s order declaring that Rosen’s
policy doesn’t require St. Paul to cover the costs of the data breach,
which spanned September 2, 2014 and February 18, 2016. According to the
suit, Rosen asked the insurance company for information about its coverage,
and the company responded with a denial-of-coverage letter.

The insurance company says Rosen had a commercial general liability policy
that doesn’t cover the data breach incident, but the lawsuit give no
further reason for St. Paul’s decision.

Rosen has several hotel properties in Central Florida, including the 1,500
room Rosen Centre on International Drive.

In a news release announcing the breach, Rosen said it had been informed of
a “pattern of unauthorized charges occurring on payment cards after they
had been used by some of our guests during their stay,” and that “an
unauthorized person installed malware” on its payment card network, which
searched for data read from the magnetic stripe of payment cards.

Weinberg said it’s possible that Rosen’s customer payment data was stolen
but wasn’t used for a period of time.

Since 2015, the banking industry has recommended using cards with
micro-chips instead of magnetic strips. As of October 2015, banks and
payment companies have said they will hold merchants liable for stolen data
from magnetic-strip cards.

Last year Rosen said it had implemented “enhanced security measures” to
help prevent data theft. It had also set up a dedicated hotline for a
period time for customers with questions about the breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170329/8b13ed54/attachment.html>