Armed with personal data stolen from the hotel’s dining reservation system, fraudsters trick guests into handing over their credit card details
The Ritz London has launched an investigation into a potential data breach that affected its food and beverage reservation system. The information stolen in the breach seems to have been used by fraudsters to worm their way into the wallets of the hotel’s clients.
In a series of tweets shared over the weekend, the luxury hotel confirmed that it was made aware of the potential breach on August 12th, adding that the compromised data did not include any credit card or payment details. The hotel went on to notify all of its affected customers as well as the authorities about the breach while it investigates the incident further.
We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information.
— The Ritz London (@theritzlondon) August 15, 2020
Even though no payment information was compromised according to the hotel, it seems that the cybercriminals behind the attack were after just that. According to the BBC, the miscreants leveraged the information obtained from the breach to pull off a very convincing social engineering attack. To make their ruse even more believable, they also spoofed the hotel’s official number.
Posing as hotel staff, the scammers contacted clients who had made restaurant reservations at the Ritz, asking them to “confirm” their bookings by disclosing their payment card details. One of the victims speaking to the BBC confirmed that she was contacted a day before her reservation.
RELATED READING: 5 things you need to know about social engineering
The fraudsters claimed that her card was declined and requested that she provide an alternative bank card. Once they were able to obtain the information, the ne’er-do-wells went on to rack up charges of over £1,000 (some US$1,300) at Argos, a catalog retailer.
When the suspicious transactions were flagged by the victim’s bank, the cybercriminals contacted her again. However, this time they pretended to be from her bank and tried to deceive her into disclosing the security code she’d received, stating they need it to cancel the transaction, while the code would have, in fact, authorized it.
The Ritz is just the most recent addition to the list of hotels that have fallen victim to similar incidents. Last summer, MGM Resorts suffered a breach that affected 142 million of its former guests. Hotel giant Marriott, meanwhile, was hacked twice in a span of two years.