Radisson loyalty program suffers data breach

Radisson Blu Exterior
An attacker gained access to Radisson Rewards members’ names, physical and email addresses but credit card and password data were not exposed. Photo credit: Radisson Hotel Group

The Radisson hotel chain is notifying customers of a data breach after members of its Radisson Rewards program were compromised in a security incident. Radisson Rewards first detected the breach on Oct. 1 and revoked access to the unauthorized party, the company reports. 

Radisson Hotel Group released a statement confirming the data-security incident. In the statement, it said that no credit card or password information was compromised. Instead, information accessed was restricted to member names, addresses, email addresses, company names, phone numbers, Radisson Rewards member numbers and frequent-flyer numbers.

The hotel added that it immediately revoked access to the unauthorized persons and all affected member accounts have been secured and flagged so that the hotel can monitor them for unauthorized behavior. It also added that members should monitor their own accounts for suspicious activity and that the hackers may try to email members, claiming to be Radisson Rewards, asking for personal information such as password and user information.

Virtual Event

Hotel Optimization Part 3 | January 27, 2021

With 2020 behind us and widespread vaccine distribution on the horizon, the second half of the new year is looking up, but for Q1 (and most likely well into Q2) we’re very much still in the thick of what has undeniably been the lowest point of the pandemic. What can you be doing now to power through and set yourself up for a prosperous 2021 and beyond? Join us at Part 3 of Hotel Optimization – A Virtual Event on January 27 from 10am – 1:05pm ET for expert panels focused on getting you back to profitability.

“Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future,” the company said in a statement.

The incident may not be so quickly forgotten, however. The hotel chain is headquartered in Brussels, Belgium, and so is held under the European General Data Protection Regulation, which launched on May 25.

GDPR requires companies that suffer a data breach to report the incident within 72 hours of an organization becoming made aware of it. Should regulators choose to investigate and find security wanting, organizations can be fined up to 10 million euros or 4 percent of the company's annual global revenue, whichever is higher.

Radisson Hotel Group confirmed to ZDNet that “upon discovering the data incident, Radisson Hotel Group promptly informed EU regulators of the situation.”

The hotel chain moved quickly once it discovered the breach 20 days after it occurred, which was relatively fast detection work, reported BankInfoSecurity. Indeed, incident response firm Mandiant said that last year, on average, intrusions went unnoticed for 57.5 days before being spotted.

It's not clear if the Radisson breach may have been a targeted or opportunistic attack. But the restaurant and hospitality sector continues to suffer a data-breach epidemic. The Loyalty Fraud Association said law enforcement agencies are taking a closer look at loyalty fraud, whether it's committed by current or former employees, or increasingly, organized crime syndicates. Europol, the EU's law enforcement intelligence agency, has been paying more attention to loyalty fraud, including as part of its “action days,” which focus on fraud in specific industry sectors.

Loyalty program members have long been targeted via phishing attacks, and some estimates put the value of funds stored in global loyalty programs at $200 billion.

Earlier this year, hackers got to hotel booking website FastBooking to install malware and pilfer data, such as names, email addresses, booking information and payment card data, from guests at hundreds of hotels. In March, Orbitz disclosed a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards.

Back in 2016, Hyatt Hotels Corporation disclosed a breach of payment cards that affected 250 hotels in approximately 50 countries, making it one of the most wide-ranging incidents in a rash of hotel cyberattacks. Also that year Hilton, Mandarin Oriental, Trump Hotels and Starwood Hotels & Resorts Worldwide were affected by hacker attacks.

Last year, a data breach at third-party hotel-reservations provider Sabre impacted multiple hotels, including those from Four Seasons Hotels and Resorts, Trump Hotels, Kimpton Hotels & Restaurants and RLH CorporationIHG also announced two data breaches last year.