Donald Trump’s luxury hotel chain has agreed to pay $50,000 in penalties after failing to timely notify customers that two separate data breaches compromised more than 70,000 credit card numbers and other personal data, the New York Attorney General’s Office announced Friday.
The Trump Hotel Collection will also adopt new security measures, including the implementation of certain safeguards and annual training for its employees, under the terms of a settlement announced by Attorney General Eric T. Schneiderman, a Democrat.
“It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law,” Mr. Schneiderman said in a statement. “Consumers personal information are all too often exposed to wrong-doers with ill-intent. We will continue working to help protect hardworking New Yorkers from all forms of identity theft.”
The settlement announced Friday stems from separate data breaches suffered between 2014 and 2016 by the Trump Hotel Collection, a chain of high-end properties owned by the Republican presidential nominee and his three adult children through The Trump Organization, the main holding company for the real-estate developer’s numerous business ventures.
The initial breach occurred on May 19, 2014, when an attacker gained unauthorized access to an administrative account on the chain’s payment processing system and deployed malware designed to steal credit card information across the Trump Hotel Collection’s computer network, the state attorney general said. The incident went unnoticed until a year later when multiple banks discovered “hundreds of fraudulent credit card transactions” on the accounts of customers whose last legitimate transactions took place at Trump hotels.
Card holders affected by the breach were unaware of the incident until the Trump Hotel Collection posted a notice on its website four months after learning it had been hacked — a violation of a state business law that requires victims to be notified “in the most expedient time possible and without unreasonable delay,” the attorney general’s office said.
The hotel chain learned in late March of this year about a second breach that started in November 2015 in which an attacker had installed similar credit card-sniffing malware on 39 systems across five of its properties, as well as a similar effort that allowed the culprit to compromise the names and social security numbers of more than 300 Trump Hotel Collection property owners. Victims were notified on June 10, according to Friday’s statement.
Despite learning of the initial breach in May 2015, the hotel chain failed to adopt significant security measures until this past April when the second incident had already occurred.
“If [Trump Hotel Collection] had adopted this solution after the first breach, consistent with its forensic investigator’s recommendation, it may have prevented the second breach,” the New York State attorney general’s office said.
Hotel guests affected include customers who used credit cards across seven Trump properties, including ones in Manhattan, Miami, Chicago, Honolulu, Las Vegas and Toronto, Canada.
Alan Garten, the Trump Organization’s general counsel, didn’t immediately respond requests for comment when contacted Friday, Bloomberg reported.
Ironically, the Trump Hotel’s website on Friday prominently features the words “NEVER SETTLE” on its homepage.
“With our personal mission to deliver unparalleled service and experiences, you never have to settle for anything less than extraordinary,” it continued.
Eric Trump, the presidential candidate’s son, said in April that the FBI and Secret Service were investigating the hacks.
“Like virtually every other company these days, we are routinely targeted by cyber terrorists whose only focus is to inflict harm on great American businesses,” he told IT Pro at the time.