The Radisson Hotel Group reported a potential breach that affected its loyalty and rewards scheme members. The Radisson Hotel Group is based in Brussels, Belgium, and manages a chainof more than 1,400 hotels located in 70 countries. The hotel group also operates the hotel brands Country Inn & Suites, Park Plaza, Park Inn, and Radisson Collection. Because the group’s headquarters is located in a EU country, it is subject to the General Data Protection Regulation (GDPR), compliance with which has been mandatory since May 25, 2018.
According to this EU regulation, any organization that discovers a data breach involving its organization must report the security incident within 72 hours from the time the breach was discovered. An investigation will be conducted to review whether the company was fully compliant with the requirements of the GDPR. If not, the company may face a fine of up to €20m or 4% of yearly global revenue, whichever amount is higher.
Radisson Rewards loyalty scheme subscribers received notification on October 30 and 31 that a breach was discovered on October 1. The notification explained that the breach most likely occurred on September 11 and the types of of data compromised had identifying elements such as names, addresses, country of residence, email addresses, company names, phone numbers, Radisson Rewards member numbers, and frequent flyer account numbers. No financial information or passwords were exposed.
The Radisson Hotel Group’s notice also informed its members that Radisson Rewards quickly terminated the unauthorized access. All affected subscriber accounts were secured and flagged to keep track of any possible unauthorized activities. Radisson Rewards considers this breach a serious incident and an in depth investigation is continuing. Steps are also being taken to improve security and prevent any further breaches.
Although the hotel group stated that less than 10% of its members were impacted, there has been no public disclosure of the exact number of subscribers impacted by the breach. The hotel chain’s bulletin indicates that employee accounts that had access to membership data were fraudulently accessed by the attacker, which suggests this was a phishing attack.