Trump Hotels ~ Payment Card Data Breach MIS 5205 Fall 2017 ~ Team 6 M. Sarush Faruqi James Foggie Candace Nelson Tamekia Pitter Nathan Van Cleave

Overview Background What Happened Root Cause Business Impact Control Gaps & Recommendations Questions

Worldwide Trump Hotel Properties ⑤ Macleod House & Lodge at Trump International Golf Links, Scotland ① Trump International Hotel & Tower Vancouver ④ Trump Turnberry ③ Trump International Golf Links & Hotel Doonbeg ❺Trump International Hotel Las Vegas ❹Trump International Hotel & Tower Chicago ❻ Trump International Hotel & Tower NY ❼ Trump SoHo NY ❶ Trump International Hotel Washington, DC ❽ Albemarle Estate at Trump Winery ❷ Trump National Doral Miami ❸ Trump International Hotel Waikiki ② Trump International Hotel & Tower Panama ❶DC ❺Nevada Canada Europe & Asia ❷Florida ❻New York ①British Columbia ③Ireland ❸Hawaii ❼New York Central America ④Scotland ❹Illinois ❽Virginia ②Panama ⑤Scotland

What Happened... Identified 3/16 Notified 6/17 Disclosed 6/16 September 13, 2016 First Data Breach Settlement Maintain reasonable security policies & procedures Implement two-factor authentication for remote access Perform privacy risk assessments & test security controls Provide data privacy & breach notification awareness training Engage service providers with consistent security practices Identified 6/15 Disclosed 9/15 First Data Breach: 5/14 – 6/15 Malware infected POS terminals Payment card information stolen Affected seven Trump Hotel properties Identified 3/16 Disclosed 6/16 Notified 6/17 Disclosed 7/17 Third Data Breach: 8/16 – 3/17 Sabre’s “SynXis” Reservations System Payment card details compromised Affected 14 Trump Hotel properties Second Data Breach: 11/15 – 3/16 Installed credit card harvesting malware on 39 systems Connected to network of a legacy payment system Names and SS#’s of > 300 property owners Affected five Trump Hotel properties Before we jump into the current breach, let’s take a step back and set the stage as we look at that troubling trend. Between May 2014 and June of 2015, attackers targeted 7 trump properties and stole 1000’s of payment card numbers, expiration dates and security codes. It was believed to have been carried out by malware infected POS terminals. Trump hotels announced the breach publicly on Sep 2015. In March of 2016, Trump properties was notified of a second breach where forensics confirmed that from Nov 2015 to Mar of 2016, hackers gained unauthorized access, installed credit card harvesting malware on 39 systems and connected to a legacy payment system network that contained SS#’s of more than 300 property owners. This affected 5 different Trump properties and was disclosed in June of 2016. In Sep 2016, a settlement was finalized relating to the first breach in 2015 and as a result, financial penalties were levied and Trump agreed to improve data security. This brings us to the third and most recent data breach.

What Happened, con’t. Hackers Strike Trump Hotels Again, Compromising Credit Card Payment Data Reuters, July 12, 2017 Sabre Corp. Central Reservations System Sabre announced breach on May 2nd Trump Hotels disclosed breach on July 12th 14 Trump Hotel properties affected Payment card numbers compromised 3rd data breach to impact Trump Hotels In this latest breach: On May 2nd, Sabre Corporation, a major provider of travel and hospitality software, confirmed that cyber thieves attacked its Central Reservations system. It’s believed that the breach may have impacted as many as 36,000 properties, including 14 Trump properties and occurred between Aug 2016 and Mar 2017.. Sabre claims it can confirm that no more than 15% of average daily bookings were affected. But that still equates to a staggering 150,000 potential transactions that would have been affected. After announcing the breach: Sabre Corporation notified Trump Hotels on June 5th and Trump Hotels disclosed the breach publicly on July 12th Now let’s take a look at the root cause of this latest breach.

Root Cause The headlines read Trump Hotels, but… Loews Hard Rock Who is Sabre Corporation? Distribution Channel Management Central Reservations SynXis (SaaS) Trump in headlines, but… As previously stated, the headlines for this particular brief lists Trump Hotels and its various locations, however at the core of the breach is a 3rd party SaaS company. Who is Sabre? Sabre Corporation is a travel technology company based in Southlake, Texas. It is the largest Global Distribution Systems provider … Sabre is the partner of choice for the world's leading travel agencies and corporate travel programs. Through the Sabre travel marketplace, its GDS, gain global access to more than 400 airlines, 750,000 hotel properties, Some specific software services offered, includes: Distribution Management Channel Management Central Reservations… (which is at the heart of the breach we are covering…) SynXis SynXis is software-as-a-service system is used by travel agencies, hotels and booking services for such functions as rate and inventory management Some of the known users (clients) of Sabre (SynXis) are: Loews Hard Rock Crown Plaza TRUMP HOTELS! Some Known Clients: Loews Hard Rock Crowne Plaza Trump Hotels

Root Cause, con’t. … SynXis was the gateway, but how did the breach occur? How did the breach occur? Quick overview of a typical central booking systems Core hardware, software for data management Local and remote access to systems Software admin and support required Gateway to SynXis exposure While it’s still under investigation, it’s been confirmed that an intruder using stolen account credentials for the reservation system had access to payment card details and personal information over this seven-month period. Unauthorized party was able to access cardholder names, payment card numbers, card expiration dates, card security codes for some…. Unauthorized access continued for x months, allowing unauthorized party to access the aforementioned data for a significant period of time. Access was closed upon detection by Sabre Incident response company Mandiant hired to assist Sabre with its approach to its strategic response Typical configuration of a central booking system Gateway to SynXis exposure “unauthorized party was able to access cardholder names, payment card numbers, card expiration dates, card security codes for some…” Travel Weekly

Business Impact DRAFT Financial Loss-$$$ Reputational Damage Loss of Confidence from customers Violation of PII Laws Credit Card Numbers, Names, Addresses, Phone Numbers stolen The impact of the three breaches has affected Trump Hotels in a variety of different areas. -The hotel chain incurred financial losses from the three incidents and could face additional losses to from settlements and lawsuits. In 2016, the Attorney General of New York ordered Trump's hotel chain to pay $50,000 in fines for displaying negligence in not telling customers that their personal information was compromised until 4 months after the first data breach was discovered. -The breach forced Trump Hotels to re-evaluate the security policies in place. The hotel chain was required to better protect sensitive customer data through mechanisms that included staff training, two-factor authentication for remote network access, and regularly testing the safeguards it had in place. -From an image standpoint, Trump Hotels took a hit when it was revealed that the culmination of the three breaches resulted in the compromise of 70,000 payments card details and 302 social security numbers. -The breaches also resulted in Trump Hotels being in violation of several PII laws including the Privacy Act of 1974 and the Social Security Number Protection Act of 1974. -The hotel chain became an easy target in an industry that is struggling to prevent cyber security breaches. Because it is easy access to hackers, there is no guarantee that Trump Hotels could be targeted again in the future. - Sabre and liability their breaches present to its customers (Trump) - Sarush to clarify for Monday

Controls Gaps & Recommendations DRAFT Data encryption and password protocols Strengthen firewalls Implement security log monitoring Invest in top of the line virus/malware protection Enhance/update PII policy Request updated SLA including requirement for SOC 1 Given risk, consider hiring external auditors to perform review of controls/policies implemented Given the frequency of these breaches (3 in as many years), Trump Hotel needs to take more preventive measures including hiring a security administrator. This should be their only responsibility within the organization. The breaches have been a result of internal and third-party missteps. As such, Trump Hotel should take care in enhancing both internal procedures such as data encryption and password protocols as well as revisiting third-party SLAs. To prevent unauthorized access, the firewall should be strengthened including . . . The security administration team should perform routine monitoring of the security log Where these efforts fail, the company should also invest in top of the line virus/malware protection. In the event of a breach, the software would be able to clear malicious code/software before widespread damage is caused In addition, the PII policy should be updated to ensure that the necessary precautions are in place to protect personal data Lastly, we a recommending a through review of these recommendations post implementation by an independent party to corroborate that that they are in place

Questions

References http://fortune.com/2017/07/12/trump-hotels-data-breach/ https://krebsonsecurity.com/tag/sabre-corp-breach/ https://krebsonsecurity.com/2017/07/trump-hotels-hit-by-3rd-card-breach-in-2-years/ https://www.nbcnews.com/tech/security/trump-hotels-confirm-hack-exposed-customer-credit-card-info-n436501 https://ag.ny.gov/press-release/ag-schneiderman-announces-settlement-trump-hotel-collection-after-data-breaches-expose