Radisson Hotel Group data breach involves Reward program members' data

by Lucia Danes - -

Radisson Rewards data breach exposes personal information about customers

Radisson Reward program breach 

Recently, Radisson Hotel Group issued a report about Radisson Rewards data security incident[1] that was identified on October 1st, 2018. As the company has stated, the unauthorized individual gained access to the database including various information about the program members was stored. Unfortunately, no more details how this information got breached hasn't been provided.[2]

According to the report[3], the data breach impacted a small percentage of the reward program members from around the world. The company ensures their investigation showed that no credit card or password details had been exposed during the security incident:

Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers on file.

Radisson Rewards program gives tons of advantages for Radisson Hotel Group customers from all over the world. Privileges and additional services include more than 1000 hotels in the world, so there is no surprise that the program is very popular.

Credit card information and passwords did not get involved in the breach 

Although this data breached affected a small part of the Radisson Reward members and did not include people who stayed at a Radisson Hotel, it may still lead to more privacy issues. In a statement, the company ensured that there were no credit card information or passwords on the database and later on, Rossi Rustici, senior director of intelligence service Cybereason said that this fact makes the impact of Radisson Hotel Group much smaller.

EU regulators were notified about the event immediately because there are tons of incidents regarding security vulnerabilities and huge companies,[4] as Rustici mentioned: 

The two large implications of this particular incident revolve around how the EU decides to enforce GDPR. Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a testbed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations.

The access was immediately canceled, and the affected people informed

The hotel chain report stated that shortly after this incident was identified they revoked access to the unauthorized person. The Radisson Rewards statement also noted that there still is a possibility of further damage or misuse of the stolen personal data even though all accounts were secured:

All impacted members accounts have been secured, and flagged to monitor or any potential unauthorised behaviour. 

People should be cautious and aware of potential scams. Radisson Rewards ensured that the company takes this event seriously and keeps the investigation going. There are no technical details released about the breach and no information about the affected system:

While the ongoing risk to your Radisson Rewards account is low, please monitor your account for any suspicious activity. 

This incident may lead to more prominent privacy issues if malicious actors claim to be Radisson Hotel group staff and ask for more personal information or use more deceptive techniques like phishing[5] to gain access on the system or gather sensitive data. Remember that official emails from companies like Radisson would not ask to provide any personal information, credit card or password details via email.

About the author

Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions

References