[BreachExchange] Radisson Hotel Group Spills Customer Data

[Destry Winant]

https://www.infosecurity-magazine.com/news/radisson-hotel-group-spills/

Radisson Hotel Group has become the latest big brand in the sector to
suffer a data breach, after admitting that a "small percentage" of
loyalty club members had their personal information accessed by an
unauthorized person.

The notification statement is worded in such a way as to hint that the
attacker may have gained access first to staff accounts, which in turn
exposed the customer data.

“Upon identifying this issue Radisson Rewards immediately revoked
access to the unauthorized person(s). All impacted member accounts
have been secured and flagged to monitor for any potential
unauthorized behavior,” it noted.

Although the breach didn’t affect credit card or password information,
it did expose Radisson Rewards member names, addresses, email address,
and in some cases, company names, phone numbers, Radisson Rewards
member numbers and frequent flyer numbers.

That could be useful for “specific, low incidence, criminal use cases”
according to Ross Rustici, senior director of intelligence services at
Cybereason.

“Unlike a large-scale credit card breach, the most likely way this
information is to be monetized is through enhancing a pattern of like
analysis on particular individuals, either high net worth or people
with specific access to something,” he continued. “This type of
information is far more useful for an intelligence targeting package
than for large-scale monetization."

Given that the chain operates under numerous brands with 1400 hotels
all over the world, the GDPR is likely to come into play here.

That could spell trouble, given the firm said it identified the
incident on October 1, almost a month before notifying.

“Like the British Airways hack earlier this year, each major company
that suffers an incident is going to be a test bed for how stringently
GDPR gets enforced and what the private sector can actually expect
from the regulations,” said Rustici.