Radisson Hotel Group reveals breach of rewards site

Details exposed of loyalty card members.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Radisson Hotel Group reveals hack of rewards site

If you’ve stayed in one of the over 1400 hotels in 70 countries that make up the Radisson Hotel Group, you could be in for a rude awakening.

The hotel chain – which includes brands like Park Plaza, Park Inn, Radisson Blu, Radisson Red, Country Inn & Suites, and Radisson Collection – has announced that it has suffered what it euphemistically describes as a “data security incident” (but you and I might possibly call a “hack”) impacting “a small percentage” of members of its loyalty and rewards scheme.

Fortunately, no passwords or financial information was exposed. So that’s some good news.

Sign up to our free newsletter.
Security news, advice, and tips.

Radisson Hotel Group reveals hack of rewards site

However, a few things do still jump to my attention.

One is that Radisson isn’t saying how many of its Rewards members were affected. The most they’re currently prepared to do is describe it as a “small percentage”. My guess is that they’re doing that in the belief that giving a number might only add fuel to the fire.

Secondly, it’s disappointing that there’s no indication of how the breach might have occurred. Was there a vulnerability on the Radisson Rewards website that has now been fixed? Were some accounts compromised because the hackers were able to break in using credentials that perhaps they scooped up in an earlier attack against a different website? We don’t know, because Radisson isn’t sharing any details.

Third, when did the breach occur and how long has it taken to inform exposed customers?

The hotel chain says it that it discovered on October 1st that personal information about Radisson Rewards members, including their names, physical addresses, countries of residence, email addresses, company names, telephone numbers, frequent flyer numbers, and Radisson Rewards numbers had been compromised during the breach.

However, it took until October 30th and October 31st for Radisson Hotel Group to inform affected customers, and -according to reports – the breach itself occurred on September 11th.

One wonders what held up the hotel’s disclosure of the security breach between the start and end of October.

While we’re waiting for an answer to that one, Radisson Rewards members would be wise to keep an eye open for any attempts by scammers to use phishing emails or unsolicited phone calls luring them into clicking on links, or sharing further personal information.

Even if you’ve never stayed at a hotel owned by the Radisson group this is still a case that should be watched with interest. In all likelihood, Radisson’s “small percentage” of affected customers will include Europeans, which will mean that the hotel chain’s breach will fall under GDPR regulation.

If the-powers-that-be investigate the breach and determine that Radisson’s security was lax, it could be fined up to 10 million euros or 4% of its annual global turnover (whichever is higher.)

Ouch.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.