The hotel identified the breach on 1 October 2018. In a statement, the hotel group said that the data breach “did not compromise any credit card or password information”.
Information accessed by hackers was restricted to the names, addresses, country of residence and email addresses. In “some cases” company name, phone number, Radisson Rewards member number and frequent flyer numbers were also compromised.
The hotel chain said that it “identified” the hack on 1 October, which occurred on 11 September. However, they did not inform Radisson Rewards members until the 30 October.
It is unclear if they informed the UK’s data watchdog, the Information Commissioner’s Office. Under Europe’s General Data Protection Regulation (GDPR), an organisation has 72 hours to inform the relevant data protection body.
Rusty Carter, VP of product management at cybersecurity company Arxan Technologies, said that not all companies are taking note of GDPR.