Donald Trump's luxury hotel chain fined for cybersecurity failure

A luxury hotel chain owned by Republican presidential candidate Donald Trump has been fined $50,000 (£38,600) for negligent cybersecurity practices after two separate attacks on its payment processing systems exposed more than 70,000 customer credit card numbers.

Over a two-year period, hackers successfully infiltrated the networks of the high-end Trump Hotel Collection (THC) in multiple locations including New York, Las Vegas and Florida, according to the legal settlement released on 23 September.

The damning report, published by New York Attorney General Eric Schneiderman, outlined a series of serious security blunders on behalf of the hotel chain including neglecting to inform impacted customers until months after learning about a major data theft.

It was this delay, Schneiderman said, that broke US business law and prompted the fine.

"It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," said the attorney general. "Consumers' personal information [is] all too often exposed to wrongdoers with ill-intent."

Detailing the full scope of the breaches, the settlement report outlined how hackers had injected malware into THC computer networks as early as June 2014. It wasn't until a year later that a "preliminary forensic investigation" confirmed the existence of the breach. However, the chain declined to mention the potential loss of financial data to customers for a further three months.

In light of the incident, the forensic report later concluded that Trump hotel officials should force through additional "security precautions" and urgently introduce two-factor authentication for any staff accessing the computer systems remotely. This, allegedly, was completely ignored.

As such, hackers were then able to install more credit-card stealing malware on 39 computer systems across five major hotel properties in November 2015, the settlement stated. Later, in March this year, the hackers connected to a "legacy payment system" that exposed the names and social security numbers of approximately 302 people.

On 4 April this year, the Trump hotel chain finally adopted a two-factor login process however again failed to notify affected customers of the second breach until more than a month later. "If Trump Hotels had adopted this solution after the first breach, consistent with its forensic investigator's recommendation, it may have prevented the second breach," Schneiderman argued.

Alongside the $50,000 fine, the settlement is forcing THC to comply with new cybersecurity policies aimed at better protecting the data of customers. In a seven-point system, the new policies include "annual employee training" about how to handle sensitive information and "regular testing of the effectiveness of the safeguard's key controls, systems, and procedures".

In a statement, Trump Hotel Collection failed to acknowledge the numerous accusations of cybersecurity negligence outlined in the settlement.

"Unfortunately, cybercriminals seeking consumer data have recently infiltrated the systems of many organisations including almost every major hotel company. Safeguarding our customers' data is a top priority for the company and we will continue taking actions to do so," a spokesperson said.

The data breach probe is not the only investigation launched against Donald Trump in New York. In a separate case, also spearheaded by Schneiderman, the business mogul and wannabe US commander-in-chief is accused of being involved with an education scam called Trump University that has been branded "straight up fraud" by the attorney general.

Trump defended Trump University last week during a campaign rally in San Diego, where he attacked several of the judges involved in the case, CNN reported.

"The trial is going to take place sometime in November. There should be no trial. This should have been dismissed on summary judgment easily, everybody says it. But I have judge who is a hater of Donald Trump, a hater. He's a hater," Trump said.

"I could have settled this case many times, but I don't want to settle cases when we are right. I don't believe in it. And when you start settling cases, you know what happens? Everybody sues you because you get known as settler. One thing about me, I am not known as a settler," Trump told the crowd.