Donald Trump’s hotel chain has confirmed that credit cards used at seven high-end properties — including establishments in New York, Las Vegas and Chicago — may have been compromised as a result of malware that went unnoticed on system computers for more than a year.
Trump Hotel Collection acknowledged on Monday that sensitive financial data may have been stolen by hackers who had breached a system linked to the chain’s front-desk computers, payment-card terminals and other point-of-sale machines at select properties managed by the GOP Republican candidate’s company.
An “independent forensic investigation did not find any evidence that any customer information was removed from our systems. However, we have decided to provide notice as a precaution and in an abundance of caution for the protection of our guests,” the company said.
Customers who used credit cards at affected locations between May 19, 2014, and June 2, 2015, may have been impacted by malware that put their personal information at risk, the chain warned.
Credit-card account numbers, expiration dates and security codes all may have been compromised by the hackers during the nearly 13-month span the malware went unnoticed, the company conceded, with customers of hotels in Las Vegas and Hawaii at risk of having their first and last names accessed as well.
The hotel chain first warned of a potential breach last week, but did not offer confirmation until Monday — more than two months after security journalist Brian Krebs first reported that Trump computers appeared to have been hacked.
“This tracks almost exactly what I heard from banks in June of this year, who told me they had little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York — were dealing with a card breach that appeared to extend back to at least February 2015. Turns out, it was quite a bit longer than that,” Mr. Krebs wrote this week.
Hotel patrons who used bank cards at the affected properties during the time the malware was present are being extended one year of complimentary fraud resolution and identity protection services by Mr. Trump’s hotels, albeit through Experian, a global information services group.
Experian was revealed earlier this month to have been breached as well, resulting in the reported compromising of personal data pertaining to some 15 million individuals who had filed paperwork with telecom T-Mobile.
On the heels of a similar incident confirmed by brokerage firm Scottrade in the days since the Experian breach was first reported, the cyber hack suffered by Mr. Trump’s hotels is now the third major security breach to come to light in only a week’s time.
“We take the privacy of personal information seriously. Immediately upon learning of a possible incident, we notified the F.B.I. and financial institutions, and engaged an outside forensic expert to conduct an investigation of the incident,” Mr. Trump’s company said in its statement.
Not everyone is satisfied with the hotel chain, however. When THC said on Sept. 29 that it was investigating a potential breach, a lawyer who has frequented the chain promptly filed a suit alleging the company had failed to properly protect the data of its customers.
The claim, entered in U.S. District Court for the Southern District of Illinois on Oct. 2, asks a federal judge to grant class-action status so other hotel patrons can pursue remedy.
According to the complaint filed on behalf of St. Louis attorney John Driscoll, “the root cause of the data breach was defendants’ failure to fix elementary deficiencies in their security systems, abide by industry regulations and respond to other similar data breaches directed at retailers.”
“Had defendants acted competently, criminals would have been unable to access the [personal identifying information].”
Properties affected by the malware, according to the chain, include Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas and Trump International Toronto.
In August, a website of Mr. Trump’s was breached by hacktivists who left a message wishing “America’s first openly [expletive] Presidential Candidate” good luck on the campaign trail. On Wednesday, pollsters at Quinnipiac University said their latest statistics suggest Mr. Trump is the leading GOP candidate for president at the moment in the swing states of Florida, Ohio and Pennsylvania.