Trump Hotels to pay New York $50,000 over data breaches

NEW YORK - Trump Hotel Collection agreed to pay $50,000 in fines and strengthen security measures after data breaches exposed more than 70,000 credit-card numbers and other personal information, New York Attorney General Eric Schneiderman said Friday.

Banks analyzing hundreds of fraudulent credit-card transactions in May 2015 tracked the last legitimate ones to Trump hotels, suggesting the chain was the target of a cyber attack, Schneiderman said in a statement. A preliminary probe revealed malware targeting credit cards existed at multiple locations, including the computer networks associated with hotels in Chicago, New York and Las Vegas.

Further investigation showed that an attacker infiltrated the chain’s payment system in May 2014 by accessing an administrative account using legitimate credentials, and then deployed the malware, Schneiderman said. The chain knew as early as June 2015 that malware had permeated multiple properties but didn’t tell its customers until four months later, which is a violation of New York law, the attorney general said.

Another breach occurred in November 2015 when an attacker installed malware on 39 systems affecting five properties, including the Trump SoHo New York, Schneiderman said. Then, in March, an attacker infiltrated a payment system for the Trump International Hotel & Tower New York that included personal information of more than 300 property owners, including social security numbers. The attackers were not identified.

The Trump Hotel Collection, which was started in 2007 and focuses on luxury full-service hotels including the Trump International Hotel & Tower in New York and the Trump National Doral in Miami, is headed by Donald J. Trump, the Republican presidential nominee, and his three children, according to its website.

Alan Garten, general counsel for the Trump Organization, didn’t immediately respond to an email seeking comment on the settlement.