Weekly Podcast: Trump Hotels breach, Microsoft, and the GDPR Report

In this week’s podcast, we discuss another breach at Trump Hotels, a change in how Microsoft collects user data, and the GDPR Report 2017.

Hello and welcome to the IT Governance podcast for Friday the 14th July. Here are this week’s stories.

Guests at 14 Trump Hotel properties have had their credit card information exposed in a data breach, marking the third time in as many years that a months-long security breach has affected customers of the chain of luxury hotels.

notice posted on its website earlier this week, explained that an unauthorized party had gained “access to guest information associated with certain hotel reservations.” The incident occurred on a reservation system provided by Sabre Hospitality Solutions.

The notice read:

“The Sabre SynXis Central Reservations system (CRS) facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies, and similar booking services. Following an investigation, Sabre notified us on June 5, 2017 that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations.

The investigation found that the unauthorized party first obtained access to Trump Hotels-related payment card and other reservation information on August 10, 2016. The last access to this information was on March 9, 2017.”

Hard Rock Hotels and Loews Hotels were also affected.

Microsoft has updated the way Windows 10 collects users’ personal information, following a complaint from France’s National Data Protection Commission (CNIL).

When users select the ‘Basic’ telemetry setting, the Operating System now ensures users either opt in or out of a setting that allows an advertising ID to track web-browsing in order to produce personalized adverts. Windows 10 also tightens the security of its four-digit PIN system that allows users to access Microsoft’s online services.

The changes come in response to the threat of a fine from the CNIL. Last year, the CNIL issued a formal notice against Microsoft, stating that Windows 10 violated France’s data protection laws.

Microsoft asked the CNIL for time to change the way Windows 10 collects data, and was initially given three months. In November 2016, the company asked for more time, and has now come good on its promise. The CNIL announced last month that Windows 10 now complies with France’s data protection laws, and as such, it is dropping its threat of a fine.

This week, IT Governance released its 2017 GDPR report which analyses data from more than 250 professionals worldwide, identifying the level of awareness, the measures taken to manage compliance, and the key challenges faced in the GDPR.

One finding from the report is that 50% of companies have not yet allocated a GDPR staff awareness budget, even though the Regulation stipulates to conduct regular staff awareness training to make sure employees are appropriately briefed and trained on their data protection responsibilities.

The GDPR, which will be enforced from 25 May 2018, imposes a much stricter regulatory framework for the processing of personal data across the EU than what most organisations are used to.

To download the report, visit www.itgovernance.co.uk/gdpr-report.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.