Radisson Hotel Group Data Leak May Lead to GDPR Fines

A potential General Data Protection Regulation breach impacting members of the firm’s loyalty and rewards scheme has been reported by the Radisson Hotel Group.

The Radisson Hotel Group, headquartered in Brussels, Belgium, has chain accounts for over 1,400 hotels in over 70 countries and incorporates hotel brand such as the Park Plaza, Country Inn & Suites, Park Inn, and Radisson Collection. Due to the location of the headquarters the groups comes under the remit of GDPR, the European Union data protection legislation which was formally launched on May 25 this year.

This EU legislation states that any company the discovers that they have been subjected to a data breach GDPR must report the incident within 72 hours of becoming made aware of it. A subsequent investigation will take place to review if the company impacted was in full compliance with the GDPR requirement. If this is not the case then the company could be fined up to €20m or 4% of annual global revenue, whichever figure is higher.

Subscribers to the Radisson Rewards loyalty scheme members were made aware of the leak on October 30 and 31, They were advised that it had been discovered on October 1  an information leak was found that impacted a “small percentage of Radisson Rewards members”. It was found that the breach took place around September 11.

The range of data breached included identifying elements including names, physical addresses, countries of residence, email addresses, company names, telephone number details, frequent flyer account numbers and Radisson Rewards member numbers. It was also stated that no financial data or passwords were involved in the breach.

The notice by the Radisson Hotel Group said: “Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior. Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future.”

Despite state that the number of people impacted by the breach is a figure of “less than 10 percent” of the membership base, the hotel group has not made it public exactly how many subscribers to the loyalty scheme have been impacted.

The hotel chain’s advisory suggests that potentially employee accounts, which had permission to access this data, were at fault and fraudulently accessed by an attacker. It read: “This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.”