The Trump organization has just provided details of a major credit card breach lasting more than a year and potentially affecting anyone who used a credit or debit card to book into or make a purchase at a number of Trump hotels: Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto.
According to the Trump Organization:
Between May 19, 2014, and June 2, 2015, we believe that there may have been unauthorized malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels managed by the Trump Hotel Collection. For those customers that used credit or debit cards to make purchases during this time, we believe that the malware may have affected payment card data including payment card account number, card expiration date and security code. For the Las Vegas and Waikiki properties, cardholder first and last name may also have also been affected for transactions in our restaurants, gift shops and other point-of-sale purchase points at those properties.
Installing malware in Point Of Sale (POS) devices is a common trick used by criminal hackers to steal credit card details. The same thing happened to Target and more recently some Hilton Hotels. However, in most cases the breaches are detected in much less than a year. The Trump organization only became aware of the breach when they were notified by various financial institutions. When credit cards are compromised, banks check to see if there is a single store where a lot of them were previously used - if so, it's likely that there is a breach there. In this case the notification took place months ago, and the story was broken by security blogger
Brian Krebs in July.
The Trump organization hired a forensic investigator to look into the breach. They claim, "The independent forensic investigation did not find any evidence that any customer information was removed from our systems." This is ridiculous. Of course the credit card numbers were stolen, that's how the banks discovered the breach. It's either incompetence on the part of the investigator, or a preemptive move to protect against lawsuits.
Expect to see this story hit the mainstream press in the next week or so.