A number of people who had made resturant reservations at the Ritz London were scammed by fraudsters into sharing their payment card details soon after the hotel's reservation system was breached.
The incident took place over the weekend and involved sweet-talking fraudsters posing as employees at the Ritz London and calling up people who had made restaurant reservations at the hotel. In the guise of confirming their reservations, the fraudsters asked guests to confirm their payment card details.
According to BBC who spoke to some of the affected guests, the fraudulent calls appeared to have come from the Ritz London's official phone number and the callers knew precise details of individual reservations. This led the guests to believe the calls were genuine, leading them to confirm their payment card details over the phone.
The fraudsters went so far as to tell customers that their payment card had been declined and that they needed new payment card details to confirm their reservations. After obtaining payment card details of the Ritz' customers through this method, the fraudsters attempted to carry out transactions of over £1,000 at Argos.
Once the payments were declined by banks that considered the transactions as suspicious, the fraudsters posed as bank employees and called the customers to warn them about suspicious transactions om their cards. The customers were then asked to read out security codes sent to them by their bank that were, in fact, security codes to confirm transactions being attempted at Argos.
After news about the elaborate scam came to light, the Ritz London said that their food and beverage reservation system had been breached earlier in August, resulting in some of its clients' personal data getting compromised.
"We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients' personal data. This does not include any credit card details or payment information," the hotel said.
"We immediately launched an investigation to identify the cause of the breach, which is ongoing, to find out what happened, how and to prevent this from happening again. We have contacted all of our clients whose data may have been compromised and alerted the ICO," they added.
Commenting on fraudsters using information stolen from the Ritz to defraud their customers, Ilia Kolochenko, Founder & CEO of ImmuniWeb, said the Ritz incident may have strong consequences and extremely high losses as guests of the luxury hotel are wealthy people, oftentimes, virtually without a limit on their credit cards.
"Despite multilayered defense and transaction verification mechanisms available for high net worth individuals, many of them lack technical knowledge and can be easily lured into expensive mistakes. Some VIP clients may enjoy generous protection against fraudulent credit card charges but not all banks offer them, moreover, there is a multitude of other avenues to profiteer from the alleged breach or extort money from the victims," he added.
This is not the first time that hackers have targeted online reservation systems of major hotels to steal the personal data of their wealthy guests and to scam them using their stolen information. The inability to secure guest details from hacking attempts often hurts the credibility and integrity of major hotels and also exposes them to regulatory action.
In July last year, The Information Commissioner's Office announced its decision to fine Marriott International almost £100 million for failing to prevent a massive data breach in 2018 that compromised approximately 383 million data records, of which around 30 million related to residents of 31 countries in the European Economic Area.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," said Information Commissioner Elizabeth Denham.
"Personal data has real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public," she added.