Ritz London suspects data breach, fraudsters pose as staff in credit card data scam

Scammers phoned guests to “confirm” their credit card details for reservations.
Written by Charlie Osborne, Contributing Writer

The Ritz Hotel in London has launched an investigation into a data breach in which scammers may have posed as staff members to steal credit card data. 

In a series of messages posted to Twitter dated August 15, the luxury hotel chain said that on August 12, the company was made aware of a "potential data breach within our food and beverage reservation system."

Ritz London added that this may have led to the compromise of "some of our clients' personal data."

See also: NHS hit with wave of scam emails at height of COVID-19 pandemic

While the hotel said that the security incident did not include any credit card details or payment information, the leaked data may have been used in a social engineering scam designed to steal more valuable financial information -- straight from the source. 

As reported by the BBC, scammers have phoned Ritz restaurant reservation holders with the "exact" details of their bookings, while requesting the confirmation of their payment card details. 

The fraudsters, pretending to be Ritz employees, used call ID spoofing to appear to be from the hotel. 

One guest speaking to the publication said a scammer called her a day before she was due to visit the Ritz for afternoon tea. After requesting that she "confirm" her details, the fraudster said her card had been declined and then requested a second payment card. 

CNET: How to avoid a spear-phishing attack. 4 tips to keep you safe from timeless scams

Information in hand, the scam artist then tried to make a number of transactions exceeding £1000 from retailer Argos. 

However, the guest's bank spotted the odd payments. Perhaps aware this was likely to happen, the scammer then called again -- but this time, pretended to be from her bank in order to obtain the three-digit security code from the back of the payment card, which would authorize future transactions made. 

Another woman told the BBC that the same tactics were used on her, but she dismissed the call after the fraudster on the other end of the line was not able to provide details relating to the hotel -- knowledge that a true employee would possess.  

TechRepublic: How cybercriminals are exploiting US unemployment benefits to make money

It is not known how widespread this scam is, or how many people have been targeted. The Ritz hotel has emailed customers, emphasizing that staff will not call them after a reservation is made. 

"We immediately launched an investigation to identify the cause of the breach, which is ongoing, to find out what happened, how and to prevent this from happening again," the hotel chain says. 

The UK's Information Commissioner's Office (ICO) has been informed of the security incident.

The worst IoT, smart home hacks of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards