Guests at one of London’s top hotels have been targeted with convincing phone-based identity fraud attacks after a suspected data breach.
The five-star Ritz London, where deluxe rooms cost over £2000 per night, revealed on Twitter over the weekend that it suffered a security incident last Wednesday.
“We can confirm that on August 12 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information,” it said.
“We immediately launched an investigation to identify the cause of the breach, which is ongoing, to find out what happened, how and to prevent this from happening again. We have contacted all of our clients whose data may have been compromised and alerted the ICO of the incident.”
However, the incident response appears not to have been quick enough to prevent attackers from using stolen guest data in follow-on fraud attempts.
With restaurant booking details in hand, they posed as hotel staff and began calling up diners in order to obtain their card details, according to reports.
One victim told DigitalTrends that the incoming phone number was even spoofed to appear as if the genuine Ritz number. In other cases, victims were urged to read out one-time passcodes sent to their device in order to stop a fraudulent transaction occurring. Of course, once they had the code, the scammers were able to authenticate their illegal transactions.
Hotels have become an increasingly attractive target for cyber-criminals and nation states over the years, given that they store large amounts of customers’ personal and financial data.
In 2018, Marriott International notified of a major incident in which the personal details of 339 million guests had been compromised — a breach the ICO was set to fine the firm £99m for.