Radisson Hotel Group has told members of its loyalty scheme that their personal details were exposed in a data breach.
The hotel chain and conference centre fave said it "identified" the security foul-up on 1 October, weeks after it happened on 11 September, but only emailed holders of the Radisson Rewards cards that are affected yesterday.
The mail sent by the group stated:
This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.
The IT security breach affected a "small percentage" of the Radisson Rewards members, the email stated, but didn't provide any specifics about numbers.
The hotel chain said that when it identified the "issue" it immediately revoked access to the unauthorised person or persons.
"All impacted members accounts have been secured, and flagged to monitor or any potential unauthorised behaviour. While the ongoing risk to your Radisson Rewards account is low, please monitor your account for any suspicious activity."
It added that loyalty card holders should also be cautious about potential phishing scams as miscreants may attempt to build on the information already gathered.
"Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future."
Hotel, motel, Holiday Inn? Doesn't matter – they may need to update their room key softwareREAD MORE
The business made no reference to which system the miscreants snuck in through, or provided any other technical details. We have sent a bunch of questions to the relevant employees.
The group operates various brands including the Radisson, Radisson Blu, Radisson Red, Country Inns and Suites by Radisson and Park Inn by Radisson, spread over more than 1,000 locations in 73 countries.
Radisson made no reference to informing the UK's Information Commissioner's Office (ICO) of the breach.
El Reg has asked the ICO to comment. Under the European General Data Protection Regulation introduced in the UK on 25 May, a business has 72 hours after becoming aware of the breach to inform the data watcher of a security scuffle. If it doesn't meet those requirements, the business has to explain why.
Updated to add at 13.17 UTC on 31 October
Radisson contacted us post-publication with a statement that fails to answer any of the questions we asked.
"The data security incident impacted less than 10 percent of Radisson Rewards member accounts," a spokesman said. He did not quantify how many people that equates to.
Updated to add at 09.50 UTC on 1 November
The ICO has contacted following publication of this story with a statement:
“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us and we can look into the details.” ®