Donald Trump’s boast that “I know a lot about hacking” last weekend prompted a wave of mockery of a President-elect who seems to have skipped the computer age.
But Trump does have direct experience on hacking: His hotel chain suffered a series of recent data breaches, exposing 70,000 credit card numbers and personal information of its customers, and paid a settlement with the New York Attorney General for failing to properly notify its guests of the hacks.
What led to the settlement with New York began in May 2015, when several banks spotted hundreds of fraudulent credit card transactions. The stolen card numbers had a common thread: In each case, the last merchant where a legitimate purchase took place was the Trump Hotel Collection, a set of gilded properties that Trump’s company manages from New York to Waikiki to Panama. According to Trump’s website, they offer a” lifestyle where you can do more, experience more and live life without boundaries, limits or compromise” and are “defined by a distinctly residential atmosphere, expansive rooms, lavish spa and fitness facilities, endless views and flawless comfort.”
According to the attorney general, forensic investigators determined in June 2015 that an attacker, posing as an administrator, activated malware to capture credit card numbers in the Trump hotel payment system.
The hackers stole guests’ cards at seven hotels, including properties in New York, Miami, and Las Vegas. But even after Trump Hotel Collection knew that their systems had been compromised as early as June, the company failed to notify its customers until nearly four months later in September, a delay that violated New York law, the attorney general said.
A second hack — which Schniederman said could have been prevented if Trump hotels had implemented better security after the first cyberattack — was discovered by forensic investigators earlier this year, and targeted credit card numbers linked to five hotel properties. Trump Hotel Collection settled with Schniederman in September, paying $50,000 in penalties and agreeing to a host of data security improvements, including two-factor authentication for remote access to its computer systems, and employee training.
“It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," Attorney General Schneiderman said when the settlement was announced.
In a prepared statement, Trump Hotels described the hacks as an industry wide issue, rather than anything specific to Trump.
“Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations, including almost every major hotel company” a spokesperson said.
The Trump transition team and the Trump organization did not respond to a request for comment.
But Trump, before he was denying hacks, did occasionally condemn them: In 2014 he called Russian hacking operations a “big problem.” And he praised FBI Director James Comey for his assessment that China was bombarding American organizations with cyberattacks. “I think he's 100% right, it's a big problem, and we have that problem also with Russia. You saw that over the weekend. Russia's doing the same thing," Trump said on Fox News.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.