Hackers attempted to defraud guests at one of London’s most luxurious hotels after breaching the restaurant’s reservation system. The scammers contacted the customers posing as Ritz Hotel’s staff after spoofing the official phone number. They requested for the confirmation of the victims’ credit card numbers, claiming that initial payments for the reservations had been declined. The suspected criminals later went on a shopping spree at Argos, attempting to make purchases worth thousands of pounds.
Data breach allowed hackers to request credit card information
The BBC reported that one of the affected customers was requested to provide an additional credit card number because her “initial payment had failed.” The suspected fraudster then attempted to complete transactions worth over £1,000 at Argos using the information collected from the victim. Fortunately, the customer’s bank flagged the transaction as suspicious, thus frustrating the criminal’s illegal spending plans. The scammer contacted the victim again and impersonated a bank official to trick her into authorizing a fraudulent transaction. He informed the victim that a rogue entity was trying to use her credit card to make illegal purchases. According to the reports, the scammer told her that she was supposed to confirm the bank’s security code sent to her phone to stop the illegal transaction.
Another customer said she received a similar call but dismissed the scammer after he failed to answer basic questions regarding her hotel reservations.
Javvad Malik, Security Awareness Advocate at KnowBe4, says that such social engineering attacks are likely to succeed because the possession of personal information makes the criminals sound convincing.
“Compromising systems are usually one half of any hack. The second part is knowing how to monetize the information. In many cases, information relating to individuals can be used to launch social engineering attacks against the victims. This can range from sending phishing emails to physical mail, text messages, or phone calls. Because the criminals have access to sensitive information, they can sound very convincing, and it can make it very difficult for people to identify it as fraudulent activity.”
Ritz Hotel acknowledged the data breach
The hotel management admitted that a security incident had exposed its customers’ data to suspected cybercriminals. However, the restaurant denied that credit card details were compromised in the process. The hotel said in a series of tweets posted on August 15 that it was aware “of a potential data breach within our food and beverage reservation system which may have compromised some of our clients’ personal data.”
However, Ritz Hotel insisted that the data breach did not include any credit card details or payment information. Additionally, the hotel indicated that it had launched an investigation to identify the cause of the data breach, which is ongoing, to find out what transpired. The hotel also notified the affected customers informing them that Ritz hotel staff never called customers after making a reservation. UK’s Information Commissioner’s Office (ICO) was also furnished with the details regarding the Ritz data breach.
Although the hackers did not access the credit card data, the information they obtained allowed them to carry out social engineering attacks to collect more valuable information. It’s still unclear how many customers were affected and whether the fraudsters succeeded in making any payments using the credit card details harvested from the victims.
The Ritz hotel attack is among similar data breaches targeting reputable restaurants around the world. Hotel giants such as MGM Resorts and Marriot faced similar attacks affecting more than 140 million customers.
Ilia Kolochenko, Founder & CEO at ImmuniWeb, notes that cyberattacks directed at hotels target wealthy individuals with higher credit card limits. He adds that should such attacks succeed, they could prove to be very expensive.
“Unlike the other recently reported data breach about data stolen from Jack Daniel’s, the Ritz incident may have a much stronger consequences and extremely high losses. Guests of the luxury hotel are wealthy people, oftentimes, virtually without a limit on their credit cards. Despite multilayered defense and transaction verification mechanisms available for high net worth individuals, many of them lack technical knowledge and can be easily lured into expensive mistakes. Some VIP clients may enjoy generous protection against fraudulent credit card charges, but not all banks offer them. Moreover, there is a multitude of other avenues to profiteer from the alleged breach or extort money from the victims.”