Check this out: Radisson Hotel Group 'fesses up to 'security incident'

Loyalty card members deets exposed

7 Got Tips?

Radisson Hotel Group has told members of its loyalty scheme that their personal details were exposed in a data breach.

The hotel chain and conference centre fave said it "identified" the security foul-up on 1 October, weeks after it happened on 11 September, but only emailed holders of the Radisson Rewards cards that are affected yesterday.

The mail sent by the group stated:

This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.

The IT security breach affected a "small percentage" of the Radisson Rewards members, the email stated, but didn't provide any specifics about numbers.

The hotel chain said that when it identified the "issue" it immediately revoked access to the unauthorised person or persons.

"All impacted members accounts have been secured, and flagged to monitor or any potential unauthorised behaviour. While the ongoing risk to your Radisson Rewards account is low, please monitor your account for any suspicious activity."

It added that loyalty card holders should also be cautious about potential phishing scams as miscreants may attempt to build on the information already gathered.

"Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future."

Hotel, motel, Holiday Inn? Doesn't matter – they may need to update their room key software


The business made no reference to which system the miscreants snuck in through, or provided any other technical details. We have sent a bunch of questions to the relevant employees.

The group operates various brands including the Radisson, Radisson Blu, Radisson Red, Country Inns and Suites by Radisson and Park Inn by Radisson, spread over more than 1,000 locations in 73 countries.

Radisson made no reference to informing the UK's Information Commissioner's Office (ICO) of the breach.

El Reg has asked the ICO to comment. Under the European General Data Protection Regulation introduced in the UK on 25 May, a business has 72 hours after becoming aware of the breach to inform the data watcher of a security scuffle. If it doesn't meet those requirements, the business has to explain why.

Updated to add at 13.17 UTC on 31 October

Radisson contacted us post-publication with a statement that fails to answer any of the questions we asked.

"The data security incident impacted less than 10 percent of Radisson Rewards member accounts," a spokesman said. He did not quantify how many people that equates to.

Updated to add at 09.50 UTC on 1 November

The ICO has contacted following publication of this story with a statement:

“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us and we can look into the details.” ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Google wants to listen in to whatever you get up to in hotel rooms

Disrupting clock radios and concierges with plan to let Nest Hub devices take orders for fresh towels

We know what you did last summer: MGM's hotel spinoff lost 10.7m guest records and now they're on hacker forums

What happens in Vegas... gets leaked on the internet

Japanese hotel chain sorry that hackers may have watched guests through bedside robots

Can we at least turn the thing around before we... y'know?

Not exactly the kind of housekeeping you want when it means the hotel's server uptime is scrubbed clean

On Call A Hoover-dunnit for your Friday morning

A paper clip, a spool of phone wire and a recalcitrant RS-232 line: Going MacGyver in the wonderful world of hotel IT

On Call Part 1: No one expects the construction crew

DBA locked in police-guarded COVID-19-quarantine hotel for the last week shares his story with The Register

Holiday did not go as planned, but he’s working remotely, participating in agile rituals and happy at the half-way mark of a two-week stretch

Messed Western: Vuln hunters say hotel giant's Autoclerk code exposed US soldiers' info, travel plans, passwords...

Details of military personnel and trips leak online from poorly secured AWS service

Chinese hotel chain warns of massive customer data theft

130 million could be impacted by Huazhu Group hack

It's Black Hat and DEF CON in Vegas this week. And yup, you know what that means. Hotel room searches for guns

Black Hat Because it's America, it's 2019, and after more mass shootings, let alone Mandalay Bay, no one's taking chances

World's first robot hotel massacres half of its robot staff

Rise of the Machines™ 'You're fired'

Tech Resources

Zero trust strategies to zap ransomware peril

Join industry veteran and security pro Mike Wronski of Nutanix as he explains to Tim Phillips about zero trust strategies combined with HCI can improve your security posture, defend against threats, help prevent your business from being the next victim of ransomware.

Securing Virtual Workforces

Right now, many security teams are struggling to adjust to a virtual workforce and the new requirements that come along with that.

Breach and Attack Simulation For Dummies

This ebook covers attacks on your network. But not the ones you expect — these are actually coming from you.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.