A “voluntary” data breach disclosure

By | Wednesday November 25th, 2015

Data breach hits Hilton Worldwide hotel chain

Cybersecurity journalist Brian Krebs, citing several banking sources, reported on his blog on Friday 25 September 2015 that a pattern of fraud has been detected involving credit cards that had been used at point-of-sale registers in gift shops and restaurants at “a large number of Hilton Hotel and franchise properties.”

In a statement to NBC News, on Friday 25 September 2015 afternoon, a Hilton Worldwide spokesperson said he was aware of the report.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace,” the statement said. “We take any potential issue very seriously, and we are looking into this matter.”

Yesterday, 24 November 2015, Hilton Hotels and Resorts reported on his Site that some of its point-of-sale devices were compromised, some potentially as far back as November 2014.

“We have determined that the payment card information may have included cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs)”.

However, the exposed data could enable attackers to create fake cards and make purchases online, by phone or mail order!

As a precautionary measure, the hotel group advised customers to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel between 18 November and 5 December 2014, and between 21 April and 27 July 2015.

If I compare this case to the new European Privacy Regulation on the date breach disclosure, I think some weaknesses catch the eye:

– They spent more then 72 hours between the discovery of data breach and the disclosures to customers

– The data breach lasted more than a year and was discovered by third parties; therefore the measures in place were not sufficient

– The disclosure did not indicate the measures implemented for the data protection nor those taken to reduce the damage

… and maybe there are others weaknesses but these are enough!

Category: Open Forum Tags: ,

About Francesca Gatti

At the end of a working life dedicated to the Information Systems in multinational companies, I have found the shares of a start up of medical industry, specializied in technologically advanced devices for the prosthetic. Here I set the Quality Management System and obtained certification ISO9001 and ISO13485 and completed an important Call of the Lombardy Region and the Ministry of Education on a project of technological medical innovation. At the same time I continue to advise on projects of Quality, Security and Governance of Information Systems. CISA since 2006 and CIGIT 2008, I’m member of the AUSED Executive Council and coordinator of the Security and Compliance Observatory.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.