Fraudsters Putting on the RitzLuxury London Hotel Investigates 'Food and Beverage Reservation System' Data Breach
Scammers have reportedly been putting one over on customers of the famous Ritz London.
See Also: Healthcare Sector Threat Brief
Known for high teas and its neoclassical, sumptuousness Louis XVI style, the luxury hotel on Saturday confirmed that it was "aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data."
Ritz London says the potentially exposed information "does not include any credit card details or payment information."
Unfortunately, fraudsters have been using information that appears to have come from the Ritz to scam customers, the BBC has reported.
The Ritz says it has alerted the U.K.'s Information Commissioner's Office to the suspected breach.
The hotel didn’t immediately respond to a request for comment about how and when the breach began, how and when it was detected, or how many customers' records may have been exposed. Its statement suggests that it first learned of the breach on Wednesday, although does not explicitly say so.
We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information.— The Ritz London (@theritzlondon) August 15, 2020
Under the EU's General Data Protection Regulation, organizations have 72 hours to inform a European data protection authority if they suffer a suspected breach that may have exposed Europeans' personal data.
Scammers Wield Stolen Customer Details
One Ritz customer tells the BBC that she recently received a phone call from someone pretending to work for the hotel, the day before she had a reservation for afternoon tea, asking for her to "confirm" the booking by providing payment card data.
The woman tells the BBC that the scammers knew the precise day and time of her booking, and obviously, they also had her contact information. She gave them details for one payment card, and when the scammer said it had been "declined," she gave them another.
The BBC reports that the scammers attempted to use the stolen card data to order more than £1,000 ($1,300) of goods from Argos, a British catalog retailer.
Another Ritz customer reported having been targeted with the same scam.
In a statement to the BBC, the Ritz says that it has emailed all potentially affected customers, warning them: "After a reservation has been made at the Ritz London, our team will never contact you by telephone to request credit card details to confirm your booking with us."
Hotel Still Reopening
Until recently, the hotel has been closed - for the first time in its 114-year history - because of the COVID-19 pandemic. Hence, it's possible that the exposed customer information is relatively fresh. The Ritz reopened the Palm Court, where it serves its renowned afternoon tea, on July 18. The hotel opened its other eateries and bars, including the Michelin-starred Ritz Restaurant, on July 27. The hotel is due to reopen its guest rooms Sept. 1.
In June, security firm Sansec warned that as the COVID-19 pandemic intensified, criminals in search of payment card data appeared to shift from more opportunistic to more targeted attacks, potentially also prepositioning themselves in advance of some organizations reopening (see: Claire's: Magecart E-Commerce Hackers Stole Card Data).
Target: Accommodation and Food Services
Again, it's not clear if the Ritz London's systems might have been infected with malware. But the accommodation and food services sector remains a top target for attackers, and malicious code is a favorite weapon.
"Malware plays a relatively large role in this industry … [as] financially motivated attackers continue to target this industry for the payment card data it holds," according to Verizon's 2020 Data Breach Investigations Report.
The top three types of attacks in the sector are crimeware - referring to any type of malware, ranging from remote-access Trojans to ransomware; infecting point-of-sale environments or devices with "skimming" code that steals payment card data when they get swiped; and exploiting web applications to steal data.
Attacks targeting point-of-sale systems in the accommodation and food services sector have continued to decrease in recent years, although these still account for 16% of breaches in the industry, according to the DBIR. "This may be - and probably is - indicative of the trend of adversaries to more quickly monetize their access in organizations by deploying ransomware rather than pivoting through the environment and spreading malware," the report says, adding that compared to simply unleashing crypto-locking code, trying to steal and monetize payment card data and personally identifiable information is "a more time-costly endeavor."