TN: Manchester Hotel Hospitality first notifies customers of breach IHG knew about months ago
On May 7, this site reported:
It seems Six Continents Hotels (InterContinental Hotel Groups) was notified earlier this year by the Secret Service that some of its hotels had suffered a data security breach. One of the hotels IHG subsequently notified was Cities Service (Holiday Inn Express & Suites in Sulphur, Louisiana). IHG alerted them on February 11, 2015.
At the time, I wondered when/if we’d see other notifications.
On June 23, counsel for Manchester Hotel Hospitality notified the New Hampshire Attorney General’s Office that they, too, had been impacted by the breach, and they weren’t too happy about IHG’s handling of their part.
According to their letter, although MHH was contacted by IHG on February 11, and IHG arranged for a forensic examination of their system with Dell SecureWorks, IHG did not provide MHH with Dell SecureWork’s report until April 29, 2015. Until then, MHH did not know for sure whether there had been any compromise involving their location.
As with the Holiday Inn Express & Suites, MHH learned that a workstation had been compromised by an email attachment, with the date of exposure being October 13, 2014 until February 13, 2015. A total of 999 MHH customers were affected by the breach nationwide.
Adding to their notification delays, MHH reported that the Dell SecureWork’s report delivered to them on April 29th appeared to be incomplete and contained invalid credit card numbers. After further investigation, MHH received a revised data set from Dell SecureWorks on June 8, 2015. Given the small number of staff at the Manchester, Tennessee hotel, it took time for MHH staff to work through their records to locate customers’ addresses for notification purposes.
Those affected were notified by letter on or about June 23, 2015, and were offered fraud assistance services with IDT911. The company reports it had no evidence of misuse of any customer payment card data. The breach did not appear to involve CVV codes, but did involve names, card numbers, and card expiration dates.
In response to the breach, MHH updated its firewalls, employee procedures, and security software in line with Dell SecureWorks’ and PCI DSS recommendations, and reimaged the affected workstation.
But one of the bottom lines is that IHG notified hotels on or about February 11, and affected hotel guests did not get notified until this past week in at least one case. And given today’s standards and consumer expectations, that’s way too long a delay in notification.