NEW YORK (Legal Newsline) - In September, New York Attorney General Eric T. Schneiderman announced a settlement with Trump
Hotel Collection (THC) after data breaches allegedly exposed more than 70,000 credit card
numbers and other personal data.
According to Schneiderman, THC failed to timely
notify its customers of a first security incident and failed to timely
implement THC’s forensic investigator’s remediation recommendation before the
second security incident occurred.
The agreement also explained that THC must pay $50,000 in
fines and is required to improve its data security.
“It is vital in this digital age that companies take all
precautions to ensure that consumer information is protected, and that if a
data breach occurs, it is reported promptly to our office, in accordance with
state law," Schneiderman said.
“Consumers' personal information are
all too often exposed to wrong-doers with ill-intent. We will continue
working to help protect hardworking New Yorkers from all forms of identity
According to court documents, in May 2015 multiple
banks analyzed hundreds of fraudulent credit card transactions and determined
that THC was the last merchant in which a legitimate transaction took place.
The investigation traced the breach back to May 19, 2014, when an attacker infiltrated THC’s payment processing system.
“Using this unauthorized access, the attacker deployed
malware designed to steal credit card information across the THC computer
network and credit card processing environment,” the court document said. “By
June 10, 2015, a preliminary forensic investigation confirmed the existence of
credit card targeting malware at multiple THC locations, including in the
computer networks associated with New York, Las Vegas and Chicago hotels."
According to the AG’s report, despite THC's knowledge that
multiple properties had been infiltrated with malware designed to steal credit
card numbers and that banks had analyzed multiple fraudulent transactions and
identified THC as the source of the breach, it did not provide notice to
customers until close to four months later, in September 2015, when it placed a
notice on its website about the data security breach.
The AG’s office also explained that on March 30, THC
received additional reports from its payment processors about a second
breach. Another forensic investigation revealed that THC experienced a
second breach in which an attacker gained unauthorized access on Nov. 10,
The final forensic investigation report of the first breach
recommended that THC adopt additional security precautions including
“two-factor authentication” for remote access to the THC network, which is an
extra layer of security that requires not only a username/password but
additional information that only the user will know. THC did not
implement the recommendations in a timely manner, Schneiderman alleged.
“It was not until April 4, 2016, that THC adopted this
solution,” the AG’s office said in a press statement. “If THC had adopted this solution after
the first breach, consistent with its forensic investigator’s recommendation,
it may have prevented the second breach.”
This settlement, according to the AG’s office press release, is a
demonstration to its commitment to keep fraudulent activity from happening to
its citizens and hold companies accountable for their lack of security when
something like the TCH breach happens.