Radisson Hotel Group Confesses To Security Incident
Radisson Hotel Group has told members of its loyalty scheme that their personal details were exposed in a data breach.
Hotel, motel, Holiday Inn? Doesn’t matter – they may need to update their room key software
The hotel chain and conference centre fave said it “identified” the security foul-up on 1 October, weeks after it happened on 11 September, but only emailed holders of the Radisson Rewards cards that are affected yesterday.
The mail sent by the group stated:
The breach affected a “small percentage” of the Radisson Rewards members, the email stated, but didn’t provide any specifics about numbers.
The hotel chain said that when it identified the “issue” it immediately revoked access to the unauthorised person or persons.
“All impacted members accounts have been secured, and flagged to monitor or any potential unauthorised behaviour. While the ongoing risk to your Raddison Rewards account is low, please monitor your account for any suspicious activity.”
It added that loyalty card holders should also be cautious about potential phishing scams as miscreants may attempt to build on the information already gathered.
“Radisson Rewards takes this incident cry seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future.”
The business made no reference to which system the miscreants snuck in through, or provided any other technical details. We have sent a bunch of questions to the relevant employees.
The group operates various brands including the Radisson, Radisson Blu, Radisson Red, Country Inns and Suites by Radisson and Park Inn by Raddison, spread over more than 1,000 locations in 73 countries.
Radisson made no reference to informing the UK’s Information Commissioner’s Office of the breach.
El Reg has asked the ICO to comment. Under the European General Data Protection Regulation introduced in the UK on 25 May, a business has 72 hours after becoming aware of the breach to inform the data watcher of a security scuffle. If it doesn’t meet those requirements, the business has to explain why.
Updated – 13.17 on 31 October
Radisson contacted us post-publication with a statement that fails to answer any of the questions we asked.
“The data security incident impacted less than 10 percent of Radisson Rewards member accounts,” a spokesman said. He did not quantify how many people that equates to.
Updated – 09.50 on 1 November
The ICO has contacted following publication of this story with a statement:
“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us and we can look into the details.” ®
Sponsored: Following Bottomline’s journey to the Hybrid Cloud
READ MORE HERE
