Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trump Hotels ~ Payment Card Data Breach

Published byThomasina Neal Modified over 6 years ago

Similar presentations

Presentation on theme: "Trump Hotels ~ Payment Card Data Breach"— Presentation transcript:

1 Trump Hotels ~ Payment Card Data Breach
Good evening classmates. Team 7 is pleased to share the results of our research associated with a series of payment card data breaches that have impacted Trump Hotels since <<NEXT SLIDE>> MIS 5205 Fall 2017 ~ Team 7 M. Sarush Faruqi James Foggie Candace Nelson Tamekia Pitter Nathan Van Cleave

2 Overview Background What Happened Root Cause Business Impact
Control Gaps & Recommendations Questions I will present background information, followed by Nathan Van Cleave who will tell us about what happened. James Foggie will then delve into the root cause of the most recent data breach, followed by Sarush Faruqi, who will present the business impact. Tamekia Pitter will then discuss the control gaps and our recommendations for improvement, after which we will open the floor to your questions. <<NEXT SLIDE>>

3 Background Macleod House & Lodge at Trump International Golf Links, Scotland Trump International Hotel & Tower Vancouver, BC Trump Turnberry, Scotland Trump International Golf Links & Hotel Doonbeg, Ireland Trump International Hotel Las Vegas Trump International Hotel & Tower Chicago Trump International Hotel & Tower NY Trump SoHo NY Trump International Hotel Washington, DC Albemarle Estate at Trump Winery, VA Trump National Doral Miami Trump International Hotel Waikiki Trump Hotels is a family enterprise that was established in 2006 and built upon the success of the Flagship Trump International Hotel & Tower in New York City that opened its doors to the public in As depicted, the portfolio currently consists of luxury hotels in NY, Washington DC, Chicago, Miami, Las Vegas and Waikiki, and a winery in central Virginia. International Trump hotels are located in Canada, Central America and Europe, including two golf resorts – one in Scotland, and the other in Ireland. In January 2017, President Trump relinquished management of Trump Hotels to his sons Donald, Jr. and Eric to alleviate questions about conflicts of interest, though he retains ownership of the company. As of June, it was estimated that Trump Hotels represent approximately 6% of President Trump’s $2.9B net worth. <<NEXT SLIDE>> Trump International Hotel & Tower Panama Family owned enterprise, currently managed by Donald Trump, Jr. and Eric Trump Established in 2006, based on Flagship Trump International Hotel & Tower in NYC Thirteen luxury hotels located in major US cities, Canada, Central America and Europe Trump Hotels represent approximately 6% of President Trump’s Net Worth

4 What Happened... Identified 3/16 Notified 6/17 Disclosed 6/16
September 13, 2016 First Data Breach Settlement Maintain reasonable security policies & procedures Implement two-factor authentication for remote access Perform privacy risk assessments & test security controls Provide data privacy & breach notification awareness training Engage service providers with consistent security practices Identified 6/15 Disclosed 9/15 First Data Breach: 5/14 – 6/15 Malware infected POS terminals Payment card information stolen Affected seven Trump Hotel properties Identified 3/16 Disclosed 6/16 Notified 6/17 Disclosed 7/17 Third Data Breach: 8/16 – 3/17 Sabre’s “SynXis” Reservations System Payment card details compromised Affected 14 Trump Hotel properties Second Data Breach: 11/15 – 3/16 Installed credit card harvesting malware on 39 systems Connected to network of a legacy payment system Names and SS#’s of > 300 property owners Affected five Trump Hotel properties So let’s walk everyone through exactly what happened. Before we jump into the current breach, let’s take a step back and look at the trend that’s developed over time. An initial breach occurred between May 2014 and June 2015 where attackers targeted 7 Trump properties and stole 1000’s of payment card details through malware infected POS terminals. Trump Hotels did not announce the breach publicly until Sep 2015. Then, in March 2016, Trump Hotels was notified of a second breach where forensics confirmed that from Nov 2015 to Mar 2016, hackers installed credit card harvesting malware, and connected to a legacy payment network that contained SS#’s of more than 300 property owners. This affected 5 different Trump properties and was disclosed in June of 2016. And in Sep 2016, a settlement was finalized relating to the first breach in 2015 and as a result, financial penalties were levied and Trump properties agreed to improve data security. This brings us to the third and most recent data breach. <<NEXT SLIDE>>

5 What Happened, con’t. Hackers Strike Trump Hotels Again, Compromising Credit Card Payment Data Reuters, July 12, 2017 Sabre Corp. Central Reservations System Sabre announced breach on May 2nd Trump Hotels disclosed breach on July 12th 14 Trump Hotel properties affected Payment card numbers compromised 3rd data breach to impact Trump Hotels In this current breach: On May 2, 2017, Sabre Corporation confirmed that cyber thieves attacked its central reservations system. It’s believed that the breach may have impacted as many as 36,000 sites, including 14 Trump properties and occurred between Aug 2016 and Mar 2017. Sabre claims it can confirm that no more than 15% of average daily bookings were affected. But that still equates to a staggering 150k potential transactions that would have been affected. After announcing the breach: Sabre Corporation notified Trump Hotels on June 5th and Trump Hotels publicly disclosed the breach on July 12th Now I’ll turn it over to James and he’ll walk us through the next section. <<NEXT SLIDE>>

6 Root Cause The headlines read Trump Hotels, but… Loews Hard Rock
Who is Sabre Corporation? Distribution Channel Management Central Reservations - SynXis (SaaS) Although several headlines focus on revealing the breach at Trump Hotels … as previously stated, this ACTUAL breach occurred due to a vulnerability within a third-party partner of Trump Hotels. That company is the Sabre (SAY-ber) Corporation. So who is Sabre, and what do they offer? The Sabre Corporation is a travel technology company based in Southlake, Texas. It is the largest Global Distribution Systems (GDS) provider. Among other services offered, Sabre offers Central Reservations software; which is at the heart of the breach we are covering. SynXis is the flagship Central Reservation Software of Sabre SynXis is software-as-a-service system is used by travel agencies, hotels and booking services for such functions as rate and inventory management. -Simply put, SynXis is a third-party company that provides a means for hotels to outsource the IT platform that supports the reservation business for their properties! Some of the known users of Sabre’s SynXis software are: Loews - Hard Rock - Crowne Plaza - and TRUMP HOTELS! <<NEXT SLIDE>> Some Known Clients: Loews Hard Rock Crowne Plaza Trump Hotels

7 Root Cause, con’t. … SynXis was the gateway, but how did the breach occur? So we know Sabre’s SynXis’ reservation software is at the heart of the beach… So how did the breach occur? The image you see on the slide depicts components of a typical booking engine environment Remember, the IT infrastructure maintenance, support and development could reside within the company or reside outside with a third-party company; once again, in the case of this breach study, it is the latter. The core of the booking engine depicted here represents the infrastructure of the third-party The peripheral devices illustrate front-end access to the booking software In addition to client and customer access points; inevitably there needs to be administrative access points within the third-party IT environment… this is where the vulnerability existed and the breach occurred... While it’s still under investigation, it’s been confirmed that an intruder using stolen credentials for the reservation system had access to payment card details and personal information over this seven-month period. The unauthorized party was able to access cardholder names, payment card numbers, card expiration dates, & card security codes Access was closed upon detection by Sabre By providing an environment that allowed infiltration of the SynXis platform, Sabre exposed its business clients, and their customers to potential harm in the form of misuse private data. UP NEXT IS MY COLLEAGUE, SARUSH FARUQI <<NEXT SLIDE>> Typical configuration of a central booking system Gateway to SynXis exposure “unauthorized party was able to access cardholder names, payment card numbers, card expiration dates, card security codes for some…” Travel Weekly

8 Business Impact Financial Loss - $$$ Reputational Damage
Loss of Confidence from customers Violation of PII Laws Credit Card Numbers, Names, Addresses & Phone Numbers stolen Sabre’s Liability: Immediate Risk to Customers Violation of Standard Practices Reputational Damage to client Integration of IT The impact of the three breaches has affected Trump Hotels in a variety of different areas. -The hotel chain incurred financial losses and could face additional losses from settlements and lawsuits resulting from the compromise of customers personal information. In 2016, Trump Hotels settled the first breach and paid $50,000 in fines for not informing customers that their personal information was compromised until 4 months after the first data breach was discovered. -The breach forced Trump Hotels to re-evaluate the security policies in place. The hotel chain was required to better protect sensitive customer data through mechanisms that included staff training, two-factor authentication, and regularly testing existing safeguards. -From an image standpoint, Trump Hotels took a hit when it was revealed that the culmination of the three breaches resulted in the compromise of 70,000 payments card details and 302 social security numbers. -The breaches also resulted in Trump Hotels being in violation of several PII laws including the Privacy Act of 1974 and the Social Security Number Protection Act of 1974. -Although Trump Hotels was in the news for the most recent breach, Sabre Corporation could also be held liable for reasons including customer risk, not following industry standard practices, reputational damage to Trump Hotels, and flaws in integration of IT systems. Although the breach is still investigation, Sabre could have multiple lawsuits coming their way. <<NEXT SLIDE>>

9 Controls Gaps & Recommendations
Hire security administrator and build out team as necessary Utilize data encryption and password protocols Strengthen firewalls Implement security log monitoring Invest in top of the line virus/malware protection Enhance/update PII policy Request review of SLA including requirement for SOC 1 Consider hiring external auditors to perform review of controls/policies implemented Given the frequency of these breaches (3 in as many years), Trump Hotel needs to take more preventive measures. The breaches were a result of both internal and third-party missteps and they should course correct accordingly. Per the settlement as result of the 1st breach, Trump Hotel should hire a security administrator. This should be their only responsibility within the organization. Expanding on the settlement’s directive, we feel they should build out a security administration team As Nathan explained the breaches were caused by malware/unauthorized access/breach of third-party provider We are recommending Trump Hotel utilize data encryption and password protocols We suggested that Trump Hotel should strengthen the company’s firewalls The security administration team should perform routine monitoring of the security log on weekly or daily basis If the above efforts were to fail, the company should also invest in top of the line virus/malware protection as compensating control. In case of another incident involving malware, the software would be able to clear malicious code before widespread damage is caused Trump Hotel should also revisit their PII (Personally Identifiable Information) policy should be updated to ensure that the necessary precautions are in place to protect personal data including encryption and storage Regarding Sabre, Trump Hotel should review/update the Service Level Agreement including the requirement for SOC1. Based on review of the SOC1 and the updated SLA, Trump Hotel may want to consider another third-party provider at the end of the current agreement Lastly, we are recommending a through review of these recommendations post implementation by an independent party to corroborate that that they are in place <<NEXT SLIDE>>

10 Questions Questions? <<NEXT SLIDE>>

11 References https://www.trumphotels.com/

Download ppt "Trump Hotels ~ Payment Card Data Breach"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Network security policy: best practices

Network security policy: best practices
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Overview of Cybercrime

Overview of Cybercrime
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

Similar presentations

Ads by Google