Destination Hotels in 12 states affected in massive card breach
|
Date Reported:
8/6/10
Organization:
Destination Hotels & Resorts ("DHR") *
*This is an update and continuation of a previous Breach Blog post; see: More than 700 upscale hotel guests affected by credit card breach
Contractor/Consultant/Branch:
None
Location:
Various
Victims:
Patrons of 22 DHR properties
Number Affected:
Undisclosed*
*There is no disclosure of the total number, but according to the New Hampshire Attorney General letter there are approximately 470 New Hampshire residents affected.
Types of Data:
"credit or debit card information, including card numbers and expiration dates"
Breach Description:
"Between April 2009 and June 2010, the computer systems of some DHR hotels were accessed without authorization. As a result, credit or debit card information, including card numbers and expiration dates, may have been subjected to unauthorized access by third parties."
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
New Hampshire Attorney General
Response:
From the online source cited above:
Letter to Attorney General:
I write on behalf of my client, Destination Hotels & Resorts, Inc. ("DHR"), to inform you of a recent incident involving the personal information about some of your state's residents.
Between April 2009 and June 2010, the computer systems of some DHR hotels were access without authorization.
[Evan] Are they unable to determine when the breach occurred exactly, or did this breach begin in April, 2009 and not get noticed until June, 2010. I am guessing the latter. 14 months without detection. Ugh.
As a result, credit or debit card information, including card numbers and expiration dates, may have been subjected to unauthorized access by third parties.
[Evan] This information WAS subjected to unauthorized access, not "may have been". There is a difference.
At this time DHR has no reason to believe that any other personal information, such as Social Security numbers, was stolen.
[Evan] Well, no surprise here. What hotel asks for a Social Security number when you book a room or dine in their restaurant?!
This incident affected 22 DHR properties in Arizona, California, Colorado, New Jersey, New Mexico, New York, North Carolina, Oregon, South Carolina, Texas, Vermont, and Washington.
There were no affected properties in the State of New Hampshire.
[Evan] Could this be because Destination Hotels & Resorts doesn't have any properties in New Hampshire?
Approximately 470 citizens of the State of New Hampshire were affected by this security breach.
DHR took action by immediately notifying the payment card processing companies that this payment card information may have been subjected to compromise as a result of the breach.
DHR also engaged a specialized computer forensics company to conduct a comprehensive investigation of the computer security breach.
DHR is notifying all affected individuals via first class mail, e-mail and/or substitute notice, and is providing then with precautionary information and measures they can take to safeguard their information.
These notifications began mailing on or about July 20, 2010.
Letter to victims:
Destination Hotels & Resorts values your business and respects the privacy of your information, which is why we wish to inform you that between _________ of this year the computer systems of some Destinations hotels were accessed without authorizations.
[Evan] This breach occurred through unauthorized access of the management company's computer systems.
This unauthorized access was in violation of both civil and criminal laws.
[Evan] Yeah, criminals are really concerned about laws!
Destination has been coordinating with law enforcement, including the FBI, to assist in the investigation of this incident.
The hotels that we believe were affected include those listed on the other side of this letter.
As a result of this unfortunate incident, your credit or debit card information, including your card number and expiration date, may have been subjected to unauthorized access by third parties.
[Evan] Not "may have", it was.
Destination Hotels & Resorts took action immediately by engaging a specialized computer forensics company to conduct a comprehensive investigation of the computer security breach.
We are also taking several steps to enhance existing security controls.
As a result of the quick response, we have no reason to believe that you payment card data is currently at risk within any Destination hotels.
[Evan] Quick response?! Didn't we read earlier that the timeframe was 14 months? Doesn't seem so quick.
Other than in the form of this written letter, Destination Hotels & Resorts will not initiate further contact with you about this incident, either by phone or in writing, and will not ask you to confirm any sensitive personal information, such as your Social Security number.
Destination Hotels & Resorts regards the privacy of consumer information with the utmost of importance.
To that end, Destination Hotels & Resorts has numerous security measures in place to safeguard our customers' payment card information.
[Evan] We can only imagine.
Further, Destination Hotels & Resorts continues to implement additional security measures in order to meet the demands of today's computer based society.
If there is anything we can do to assist you further, please feel free to call us at 1-800-XXX-XXXX
We truly regret any inconvenience for this situation.
List of Destination Properties
The Carolina InnThe Driskill Hotel
Estancia La Jolla Hotel & Spa
Hamilton Park Hotel & Conference Center
Hotel ICON
Inn and Spa at Loretto
The Inverness Hotel and Conference Center
L'Auberge Del Mar Resort and Spa
Manor Vail Lodge
Miramonte Resport & Spa
Resort at Squaw Creek
Paul J. Rizzo Conference Center
Skamania Lodge
Stowe Mountain Lodge
Suncadia Resort
Tarrytown House Estate & Conference Center
Tempe Mission Palms Hotel and Conference Center
Vail Cascade Resort & Spa
Wild Dunes Resort
Destination Resorts Snowmass
Destination Resorts Vail
The Gant
Destination Hotels & Resorts does not appear to be offering any identity theft protection services to victims.
Commentary:
According to news reports, there is confirmed fraud tied to this breach. We have very little information surrounding the details of this breach, so speculation is the best we can offer in terms of how this breach happened and what controls may have been missing. The investigation is likely ongoing, and this may be a reason for limited disclosure.
For more information see: More than 700 upscale hotel guests affected by credit card breach
Past Breaches:
Unknown
Posts Atom 1.0
Comments