Radisson Hotels and Resorts issues alert over data breach

by Steve Ragan - Aug 19 2009, 18:20

Radisson, one of the larger and more known upscale hotel chains across the globe, has issued a public alert about a security breach that took place between November 2008 and May 2009. Not all of the hotels in the chain were affected, Radisson said, but at the same time they will not mention the properties that were attacked.

“This unauthorized access was in violation of both civil and criminal laws. Radisson has been coordinating with federal law enforcement to assist in the investigation of this incident. While the number of potentially affected hotels involved in this incident is limited, the data accessed may have included guest information such as the name printed on a guest’s credit card or debit card, a credit or debit card number, and/or a card expiration date,” reads an open letter written by Radisson COO Fredrik Korallus.

So the basic alert from Radisson is that there was a breach between November 2008 and May 2009, at some of the hotels in the chain, which may have included unauthorized access to credit card numbers, expiration dates, and cardholder names. Not all of the properties were a part of the breach, and “since the investigation is still on-going” they cannot name the exact locations of the attacked properties.

Millions of people stay with Radisson each year, if not more. So this news is likely to freak many of them out. The advice given by Radisson is to monitor credit card statements and report any fraudulent charges. They also advise contacting the credit agencies, such as Equifax, and placing an alert on your credit file. Radisson has arranged with Equifax Personal Solutions to provide eligible Radisson guests with free credit monitoring for one year if the guest enrolls by November 18, 2009.

Radisson includes more than 400 locations in 68 countries, which means that since the location information is being withheld, if you stayed at one of them, you might need to pay close attention to your credit charges, or you might not. Radisson isn’t clear on this, as the information from them is a bit of a contradiction.

Radisson said they cannot name the properties involved in the breach because of the on-going investigation. At the same time they are also reporting that, “At this time we do not know how many properties and/or consumers/guests were affected. The forensic investigation is still underway. We believe at this time it is limited to an isolated number of hotels in the U.S. and Canada.”

“With support from law enforcement and forensic investigators, we are conducting a thorough review of the potentially affected computer systems for Radisson hotels, and to ensure the incident is properly addressed. Radisson also has implemented additional security measures designed to prevent a recurrence of such an attack and to protect guest privacy,” Radisson explained.

Yet, they do try to point out that instant panic, even if they are helping to create some of it, is unwarranted, by telling guests and consumers that they are not a victim of identity theft.

“The fact that someone may have had access to personal information does not mean that you are a victim of identity theft, or that the personal information will be used to commit fraud. We wanted to let you know about the incident so that you can take appropriate steps to protect yourself, such as by reviewing your account statements and credit report closely for unauthorized activity, and reporting any unauthorized activity to your credit card company. You may also wish to consider placing a fraud alert or security freeze on your credit files.”

The advice to not panic and to watch the credit charges is a wise one. Radisson was alerted to potential security issued by information given to them from various payment companies. Visa and Master Card are mentioned by name in the Radisson alert. However, there is no information what was given to them to prompt a search for security issues, or what exactly those issues were.

Radisson has taken steps to improve security, but like other businesses who have reported breaches, they will not comment on what was done. It would be nice if they would just tell people what properties were affected, instead of leaving them to wonder.

If you have questions, you can call Radisson at (866) 584-9255 between 7 a.m. - 11p.m. CST daily about this alert. If you stayed with Radisson, and the breach investigation identified you personally, then Radisson will be sending you a letter if they have not done so already.

Also, so that there is no confusion, Radisson said that at this time they are not aware of any links between this breach and the 130 million credit and debit cards that were hijacked from Heartland, Hannaford, TJX, and others.

“At this time, it appears to be an unauthorized attack from an outside source, and have no reason to believe it was an insider. The forensic investigation is still underway, and we are unable to provide accurate estimates of the number of potentially exposed records at this time. As more information becomes available, and if disclosing it will not compromise the investigation, we will provide updates,” a spokesperson said in an email.

The Tech Herald will follow this story, and if there are more developments we will update this article.

Around the Web