COVID-19 , Cybercrime , Cybercrime as-a-service

Fraudsters Putting on the Ritz

Luxury London Hotel Investigates 'Food and Beverage Reservation System' Data Breach
Fraudsters Putting on the Ritz
Photo: Ritz London

Scammers have reportedly been putting one over on customers of the famous Ritz London.

See Also: How to Build Your Cyber Recovery Playbook

Known for high teas and its neoclassical, sumptuousness Louis XVI style, the luxury hotel on Saturday confirmed that it was "aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data."

Ritz London says the potentially exposed information "does not include any credit card details or payment information."

Unfortunately, fraudsters have been using information that appears to have come from the Ritz to scam customers, the BBC has reported.

The Ritz says it has alerted the U.K.'s Information Commissioner's Office to the suspected breach.

The hotel didn’t immediately respond to a request for comment about how and when the breach began, how and when it was detected, or how many customers' records may have been exposed. Its statement suggests that it first learned of the breach on Wednesday, although does not explicitly say so.

Under the EU's General Data Protection Regulation, organizations have 72 hours to inform a European data protection authority if they suffer a suspected breach that may have exposed Europeans' personal data.

Scammers Wield Stolen Customer Details

One Ritz customer tells the BBC that she recently received a phone call from someone pretending to work for the hotel, the day before she had a reservation for afternoon tea, asking for her to "confirm" the booking by providing payment card data.

The Palm Court, where the Ritz serves afternoon tea (Photo: Ritz London)

The woman tells the BBC that the scammers knew the precise day and time of her booking, and obviously, they also had her contact information. She gave them details for one payment card, and when the scammer said it had been "declined," she gave them another.

The BBC reports that the scammers attempted to use the stolen card data to order more than £1,000 ($1,300) of goods from Argos, a British catalog retailer.

Another Ritz customer reported having been targeted with the same scam.

In a statement to the BBC, the Ritz says that it has emailed all potentially affected customers, warning them: "After a reservation has been made at the Ritz London, our team will never contact you by telephone to request credit card details to confirm your booking with us."

Hotel Still Reopening

Until recently, the hotel has been closed - for the first time in its 114-year history - because of the COVID-19 pandemic. Hence, it's possible that the exposed customer information is relatively fresh. The Ritz reopened the Palm Court, where it serves its renowned afternoon tea, on July 18. The hotel opened its other eateries and bars, including the Michelin-starred Ritz Restaurant, on July 27. The hotel is due to reopen its guest rooms Sept. 1.

In June, security firm Sansec warned that as the COVID-19 pandemic intensified, criminals in search of payment card data appeared to shift from more opportunistic to more targeted attacks, potentially also prepositioning themselves in advance of some organizations reopening (see: Claire's: Magecart E-Commerce Hackers Stole Card Data).

Target: Accommodation and Food Services

Again, it's not clear if the Ritz London's systems might have been infected with malware. But the accommodation and food services sector remains a top target for attackers, and malicious code is a favorite weapon.

"Malware plays a relatively large role in this industry … [as] financially motivated attackers continue to target this industry for the payment card data it holds," according to Verizon's 2020 Data Breach Investigations Report.

Source: Verizon 2020 DBIR

The top three types of attacks in the sector are crimeware - referring to any type of malware, ranging from remote-access Trojans to ransomware; infecting point-of-sale environments or devices with "skimming" code that steals payment card data when they get swiped; and exploiting web applications to steal data.

Source: Verizon 2020 DBIR

Attacks targeting point-of-sale systems in the accommodation and food services sector have continued to decrease in recent years, although these still account for 16% of breaches in the industry, according to the DBIR. "This may be - and probably is - indicative of the trend of adversaries to more quickly monetize their access in organizations by deploying ransomware rather than pivoting through the environment and spreading malware," the report says, adding that compared to simply unleashing crypto-locking code, trying to steal and monetize payment card data and personally identifiable information is "a more time-costly endeavor."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.