Radisson Hotel Data Breach Response Potentially in Violation of GDPR
The Radisson Hotel Group may be fined for non-compliance with the General Data Protection Regulation (GDPR) following a data breach earlier this year.
The Radisson Hotel Group is a chain with over 1,400 hotels in over 70 countries and incorporates hotel brand such as the Park Plaza, Country Inn & Suites, Park Inn, and Radisson Collection. As their headquarters is based in Brussels, Belgium, the group is required to comply with GDPR. The data breach, which affected “a small percentage” of Radisson Rewards loyalty scheme members. The cause of the breach remains vague, with a statement from the Radisson Hotel Group calling it a “security incident”.
The Radisson Hotel Group may be in violation of GDPR due to the amount of time it took for them to report the breach after it was discovered. According to GDPR, any company the discovers that they have been subjected to a data breach must report the incident within 72 hours of becoming made aware of it. The Radisson Hotel Group says that it became aware of the breach on October 1st, but only made their loyalty scheme members aware of the incident on October 30th and 31st. The breach itself took place on September 11th. This 30 day gap between the discovery of the breach and the notifications being sent is in violation with EU regulations.
After a breach is discovered and the relevant authorities are notified, an investigation must be launched into the cause of the breach. The affected organisation must document all of their actions in the aftermath of the discovery of the breach, so that they can show GDPR investigators if they followed the stipulations outlined by GDPR for breach responses. If the organisation is found to be in violation of GDPR in the aftermath of a breach, they may be subject to a fine of €20m or 4% of annual global revenue, whichever figure is higher. As the Radisson Hotel Group took longer than 72 hours to inform their loyalty customers of the breach once it was discovered, it is possible that they will be subject to a hefty GDPR fine.
The Radisson Hotel Group stated that the information compromised in the breach included identifying elements including names, physical addresses, countries of residence, email addresses, company names, telephone number details, frequent flyer account numbers and Radisson Rewards member numbers. No financial data or passwords were involved in the breach. There are no reports of the information being used for malicious purposes as of yet, but the affected clients are advised to keep a close eye on all of their accounts and report any suspicious activity to the relevant authorities immediately.
The notice by the Radisson Hotel Group said: “Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior. Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future.”
Despite state that the number of people impacted by the breach is a figure of “less than 10 percent” of the membership base, the hotel group has not made it public exactly how many subscribers to the loyalty scheme have been impacted.
The hotel chain’s advisory suggests that potentially employee accounts, which had permission to access this data, were at fault and fraudulently accessed by an attacker. It read: “This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.”