Hackers Take Aim at Trump Hotels and Hard Rock Hotels and Casinos

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

14 Trump Hotels Caught Up in Reservation Systems Breach

Hackers may have stolen customer payment information from multiple Trump Hotel locations, including D.C.

The breach occurred in a third-party reservation-booking system provided by Sabre Corp, the Trump Hotels said in a statement. Sabre notified Trump Hotels June 5 “an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information.” 

People who used the booking systems from Aug. 10, 2016, through March 9, 2017, could be affected. The Trump Hotels statement said the data accessed could include payment card information (possibly including the security code to prove physical possession of the card) and in some cases, guests’ email, phone numbers and addresses.

Trump Hotels is one of many travel-related businesses that use the Sabre Corp. tool called the SynXis Central Reservations. When the company disclosed the breach in its Security and Exchange Commission filing in May, it said the system supports 32,000 hotels. Hard Rock Hotels & Casinos notified guests in July some of their guests may have been compromised because of the same incident.

Misconfigured Server Exposed 6M Verizon Customers

“Human error” caused 6 million Verizon customers’ personal data to be available online, the company confirmed Wednesday.

A misconfigured cloud server—maintained by a third party—made customer phone numbers, names and some PINs available to anyone who had the link, Verizon told CNNTech.

Chris Vickery, a security researcher with UpGuard, discovered the breach and notified Verizon on June 13. The problem was fixed June 22. Vickery told ZDNet, which first broke the story, that as many as 14 million Verizon customers who called Verizon’s customer service may have had their information exposed.

The names, phone numbers and PINs are enough to verify account ownership, so someone could have taken over subscribers’ accounts, according to ZDNet.

Verizon said customer information was not lost or stolen.

Vickery also recently discovered a misconfigured Amazon Web Services S3 bucket that exposed data of 198 million voters.

Hard Rock Hotels and Casinos Suffer Data Breach

Hard Rock Hotels & Casinos announced last week an unauthorized party had gained access to customer data, including information related to payment cards and reservations.

The group was notified June 6 about a security incident through third-party hotel reservation system The Sabre Hospitality Solutions SynXis, according to Threatpost. 

An investigation revealed the unauthorized access to payment card and other reservation information happened Aug. 10, 2016. The last access to payment card information occurred March 9, 2017.

Sabre said in a press release compromised information include cardholder name; payment card number; card expiration date; and for a subset of reservations, payment card security code. Additionally, information such as guest name, email, phone number and address were accessed in certain cases.

There is no evidence of continued unauthorized activity, Sabre said.

The Hard Rock Hotel & Casino properties affected include Hard Rock Hotel & Casino Biloxi, Hard Rock Hotel Cancun, Hard Rock Hotel Chicago, Hard Rock Hotel Goa, Hard Rock Hotel & Casino Las Vegas, Hard Rock Hotel Palm Springs, Hard Rock Hotel Panama Megapolis, Hard Rock Hotel & Casino Punta Cana, Hard Rock Hotel Rivera Maya, Hard Rock Hotel San Diego and Hard Rock Hotel Vallarta.