Card and contact information stolen in Trump Hotels breach

Service provider Sabre was attacked, but that shouldn't absolve the Trump chain of responsibility

A service provider to Trump Hotels has been hit by a data breach: the third breach affecting the chain in three years. While Trump Hotels' own systems were not compromised, sensitive information about its guests was lifted from the servers of the third party.

Sabre Hospitality Solutions, which operates the central reservation system used by the Trump Hotels chain, earlier this month notified the company that it had been breached. The first breach was recorded in August last year and the most recent in March this year. Card data (including names, numbers and potentially security codes) and contact information was stolen.

The attack has also affected other travel firms working with Sabre. Trump Hotels has issued a statement about the breach, which can be found here, but has not said how many guests were affected.

This is the third data breach to affect the hotel chain since 2014. The first saw seven hotels affected by malware between 2014 and 2015, and the second was reported in 2016.

A security expert told Computing, "With news that Donald Trump's hotel chain has been hit by its third data breach in just three years, questions will certainly be asked whether it has been triggered as a result of recent political events. We're seeing an increasing number of attacks being used to influence socioeconomic events, such as attacking the assets and accounts of persons of power, as seen with the string of breaches of election candidates this year.

"As cybercrime increasingly becomes a tactic used to influence events offline, as well as online, it is increasingly important that all organisations take significant steps to secure their software, web applications and networks to ensure that they aren't their weakest points of attack."

Rik Ferguson, VP of security research at Trend Micro, told the BBC that, despite it being a third party that was hacked, Trump's chain is not beyond reproach:

"It's part of your due diligence to ensure that your suppliers are of the same security standard," he said.