The Radisson Hotel chain has suffered a data breach with customer credit card numbers possibly accessed.
According to a report by CBS, Radisson announced its computer systems had been accessed without authorisation, with the intrusion running from November 2008 to May 2009 before being detected.
Radisson did not say how many hotels have been affected, but did recommend that all guests check their account statements and report any unauthorised purchases. Radisson also said social security numbers were not included in the data that was accessed.
In an open letter to guests, executive vice president and chief operating officer of Radisson Hotels & Resorts, Fredrik Korallus, claimed that the ‘unauthorised access was in violation of both civil and criminal laws' and that Radisson had been coordinating with federal law enforcement to assist in the investigation of this incident.
Korallus said: “Radisson values guest privacy and deeply regrets this incident occurred. Working with law enforcement and forensic investigators, Radisson is conducting a thorough review of the potentially affected computer systems, and has implemented additional security measures designed to prevent a recurrence of such an attack and to protect the privacy of Radisson's valued guests.
“The company also is working closely with major credit card suppliers and law enforcement to ensure the incident is properly addressed.”
Writing on the Finextra blog, Stephen Wilson, managing director of consultancy Lockstep, said: “Hotel databases are a fantastic target for identity thieves. Hotels don't just hold credit card numbers and billing addresses (which are held for weeks in advance of a stay and for weeks afterwards to secure incidentals), but for many customers the hotel also has their home address, driver licence number, airline memberships and passport number, as frequently collected by hotels in Asia. It's a complete cornucopia for criminals.
“The most dangerous, most difficult to control threat vector in the hotel industry won't be war-driving or SQL injection attacks as used by the Soupnazi hacker Albert Gonzales. It will be the inside job. How many thousand itinerant hotel workers in every corner of the world will have the opportunity to sneak into an admin office after hours, break into the network, and find their way into the central databases?”