The Trump Hotel Collection has agreed to pay a $50,000 fine for failing to inform guests about a data breach.
New York Attorney General Eric Schneiderman also ruled the hotel chain must strengthen security measures after three separate breaches exposed more than 70,000 credit card numbers.
Schneiderman said banks became aware something was amiss in May 2015 when they tracked hundreds of fraudulent credit card transactions, and determined Trump hotels had been the victim of a cyberattack. Preliminary investigations showed the malware had targeted multiple locations, including networks in Chicago, New York and Las Vegas. Further probes showed the chain’s payment system had initially been infiltrated in May 2014.
Evidence shows the company knew about the attack as early as June 2015 but did not tell customers until four months later, which is a violation of New York law, according to the attorney general.
The hotel chain was hit with a second data breach in November 2015 when a hacker installed malware on 39 systems. According to Schneiderman, this attack was not discovered until March 2016. The systems breached in the second attack held the personal information for more than 300 properties, including customer social security numbers.
“Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations including almost every major hotel company,” said Jennifer Rodstrom, a spokeswoman for Trump Hotels. “Safeguarding our customers’ data is a top priority for the company, and we will continue taking actions to do so.”