BBC is reporting that several of the Trump hotels point of sale systems likely have been hacked. Trump’s initial response to questions was to decline to comment. Later, after the news of the breach was published, Eric Trump, Donald’s son, said that like “virtually every other company these days” they had been alerted to suspicious activity and are in the midst of a “thorough” investigation. They also reminded the media that they “are committed to safeguarding all guests’ personal information”.
Before I fly off the handle, there really isn’t a lot that they can say as they investigate the breach.
However, saying that “like virtually every other company …” reminds me of the old Tom Peters (In Search Of Excellence and many other books) quote. Peters, in lamenting how poorly most American businesses were run, said that most businesses fundamental operating principal was “we’re no worse than anyone else“. That seems to be the principal that the Trump chain is using.
And, to be clear, while there are many, many credit card breaches every year, to say that virtually every other company has had their credit card data hacked is a bit of a stretch. Even if it were true, to use that as a justification of why they were hacked is probably not going to sit well with the high end customers that his hotels court.
Brian Krebs wrote, in his coverage of the Trump breach, that maybe hackers are doing one last effort to grab credit cards before the October 15 deadline for liability for credit cards. I would like to dissect that statement because it is problematical.
(a) The October 15th date is when merchants start absorbing liability if they do not have credit card machines that accept chip based credit cards – that the rest of the world has been using for years.
(b) The new cards that your banks will issue will still have a mag stripe on it. That means, at least to a degree, those cards are still vulnerable.
(c) We will have to see if merchants stop swiping (and therefore collecting) mag stripe data on cards after that date. IF THEY DO STOP SWIPING THE MAG STRIPES then that data will no longer be collected and therefore no longer available to hackers. We are going to have to wait and see what merchants do.
(d) There is no law or rule that will stop merchants from swiping your mag stripe after October 15th and, in fact, many merchants will not have new credit card readers by then, so they will continue to swipe your card.
(e) Banks are worried silly that if it is a little bit harder to use your credit card you might pay cash (and possibly get a discount!) and they will lose out on the fees. As a result, they have decided both to leave the mag stripe on the new cards and not require you to use a pin with your chip card – as the rest of the world does – and instead use the totally ridiculous option of having you sign your virtual receipt. Since NO ONE checks your signature (again, for fear that you might bail on the transaction) this will reduce certain types of fraud but it will not reduce other types.
(f) The October 15th deadline does not apply to a variety of merchants such as gas stations, and, I expect, banks will not have all ATMs upgraded by then either.
(g) The chip card has no effect on Internet based sales and most people expect Internet fraud to go through the roof as hackers move their efforts to ecommerce web sites once it becomes harder to hack places like Trump’s hotels.
This migration to chip cards – and hopefully, eventually, to chip and pin, will take years. Many years.
Both BBC and Krebs are saying that this breach goes back to February. If so, this is July, which means that it only took the banks 3 or 4 months to detect the breach and, Trump’s response seems to indicate that they were not aware of the problem at until until the banks told them about it. Believe it or not, that is pretty quick.
While I am beating on the Trump chain pretty hard, as Tom Peters said, they really ARE no worse than anyone else.
My two cents.
Information for this post came from BBC and Brian Krebs.