NEW YORK (Legal Newsline) - In September, New York Attorney General Eric T. Schneiderman announced a settlement with Trump Hotel Collection (THC) after data breaches allegedly exposed more than 70,000 credit card numbers and other personal data.
According to Schneiderman, THC failed to timely notify its customers of a first security incident and failed to timely implement THC’s forensic investigator’s remediation recommendation before the second security incident occurred.
The agreement also explained that THC must pay $50,000 in fines and is required to improve its data security.
“It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," Schneiderman said.
“Consumers' personal information are all too often exposed to wrong-doers with ill-intent. We will continue working to help protect hardworking New Yorkers from all forms of identity theft.”
According to court documents, in May 2015 multiple banks analyzed hundreds of fraudulent credit card transactions and determined that THC was the last merchant in which a legitimate transaction took place.
The investigation traced the breach back to May 19, 2014, when an attacker infiltrated THC’s payment processing system.
“Using this unauthorized access, the attacker deployed malware designed to steal credit card information across the THC computer network and credit card processing environment,” the court document said. “By June 10, 2015, a preliminary forensic investigation confirmed the existence of credit card targeting malware at multiple THC locations, including in the computer networks associated with New York, Las Vegas and Chicago hotels."
According to the AG’s report, despite THC's knowledge that multiple properties had been infiltrated with malware designed to steal credit card numbers and that banks had analyzed multiple fraudulent transactions and identified THC as the source of the breach, it did not provide notice to customers until close to four months later, in September 2015, when it placed a notice on its website about the data security breach.
The AG’s office also explained that on March 30, THC received additional reports from its payment processors about a second breach. Another forensic investigation revealed that THC experienced a second breach in which an attacker gained unauthorized access on Nov. 10, 2015.
The final forensic investigation report of the first breach recommended that THC adopt additional security precautions including “two-factor authentication” for remote access to the THC network, which is an extra layer of security that requires not only a username/password but additional information that only the user will know. THC did not implement the recommendations in a timely manner, Schneiderman alleged.
“It was not until April 4, 2016, that THC adopted this solution,” the AG’s office said in a press statement. “If THC had adopted this solution after the first breach, consistent with its forensic investigator’s recommendation, it may have prevented the second breach.”
This settlement, according to the AG’s office press release, is a demonstration to its commitment to keep fraudulent activity from happening to its citizens and hold companies accountable for their lack of security when something like the TCH breach happens.