Radisson Rewards programme breached

Last month the Radisson Hotel Group, a global player in the hospitality industry with more than 1,400 hotels in 114 countries, discovered that its rewards programme had been breached.

The hack occurred on 11 September 2018 but was only detected on 1 October. Affected Radisson Rewards members were informed several weeks later, on 30 and 31 October.

According to Radisson, less than 10% of its members were impacted.

The hotel group has confirmed that no payment card information, passwords or travel history were accessed. However, the following data was compromised:

  • Member names
  • Addresses
  • Countries of residence
  • Email addresses
  • Company names
  • Phone numbers
  • Frequent flyer numbers
  • Radisson Rewards membership numbers

In its announcement, the group said:

All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior. While the ongoing risk to your Radisson Rewards account is low, please monitor your account for any suspicious activity.

It also advised members to be aware of phishing emails:

You should also be aware that third parties may claim to be Radisson Rewards and attempt to gather personal information by deception (known as ‘phishing’) […] Radisson Rewards will not ask for your password or user information to be provided in an e-mail.

An unclear situation

Although Radisson has contacted those affected, it hasn’t revealed how many of its members had their details compromised, or the source of the breach.

As the group is headquartered in Belgium and many of its members are EU residents, it comes under the jurisdiction of the EU GDPR (General Data Protection Regulation). Radisson has confirmed that “upon discovering the data incident, [it] promptly informed EU regulators of the situation”, but it could still face fines of up to €20 million or 4% of annual global turnover if it is found to have infringed individuals’ privacy rights.

Radisson was unprepared for the incident and is now suffering the consequences. Trying to deal with the fallout from the breach while maintaining daily operations is a challenge for any organisation, regardless of size.

What can organisations do to prepare for a breach?

There are a number of ways to prepare for a data breach. Staff awareness training is essential, along with compliance with regulatory frameworks such as the GDPR and the PCI DSS (Payment Card Industry Data Security Standard). There are also a variety of IT management frameworks that can be introduced to ensure people and processes are in place to deal with any security situations that may arise.

It Governance’s free webinars cover the GDPR, the PCI DSS, staff awareness and more, helping organisations understand how to become cyber resilient. We’ve also created a quick test to help organisations identify what they need to do to improve business resilience. Assess your breach readiness now.