Security breach at Radisson reward program

Thousands of users have been affected by the incident

Last month, the Radisson Hotel Group, which has more than 1400 hotels distributed in 114 countries, discovered that the system where its rewards program was hosted had been attacked, as reported by experts in digital forensics from the International Institute of Cyber Security.

The attack occurred on September 11, 2018, but was detected by the hotel group until October 1st. The affected members of Radisson Rewards, the company’s user reward program, were informed several weeks later during the last days of October.

According to the hotel group’s digital forensics specialists, less than 10% of the members of its rewards program were affected by this incident.

Radisson Hotel Group was able to confirm later that the attackers did not get access to the users’ payment card data, their passwords or travel history. However, the following data were compromised during the incident:

  • Full Name
  • Address
  • Country/countries of residence
  • Email Address
  • Name of the user’s company
  • Phone Numbers
  • Frequent Flyer number
  • Radisson Rewards Membership number

In a security notice, the hotel group stated:

“All the accounts of the affected members have been secured and tracked to monitor any possible unauthorized activity. While the continued risk to Radisson Rewards accounts is low, users are encouraged to stay alert for any anomalous behavior.”

The Radisson Group also advised members to be aware of phishing emails:

Members of our rewards program should keep in mind that third parties could impersonate Radisson Rewards and attempt to collect personal information by deception (a tactic known as phishing). Radisson Rewards will not request your password or user information via email.

Although Radisson has contacted the affected users, it has not revealed how many of its members would have been affected by this incident, nor do they know details about the possible perpetrators of the attack.

Since Radisson’s headquarters is in Belgium and many of its users are residents of the European Union, the incident is under the jurisdiction of the strict GDPR. Radisson has confirmed that “the incident was immediately reported to EU regulators” but could still face fines of up to €20M or the equivalent of 4% of its annual earnings if it is discovered that it has violated individuals’ right to privacy.

Apparently Radisson was not prepared for the incident and is now suffering the consequences, consider specialists in digital forensics. Try to cope with the consequences of data theft while conducting regular operations in a company is a big challenge for any organization, regardless of its size.

What can a company do about it?

There are several ways to prepare for a data security incident. Staff awareness training is essential, along with compliance with regulatory frameworks such as GDPR and PCI DSS (payment card security standard). Organizations can also rely on joint work with IT specialists and cybersecurity to establish better computer security policies and comply with the security standards demanded by the authorities.