Customers of one of London’s top hotels were targeted by fraudsters attempting to steal their credit card information after the establishment’s auberge failed to report a breach of their food and beverage reservation system.
Scammers posing as Ritz London staff managed to spoof the hotel’s official number, and contacted several customers under the guise of confirming their credit card details. With the booking information from the restaurant’s reservation systems, it was easy for scammers to convince unsuspecting customers to provide payment info.
According to a BBC report, one of the victims was contacted by the fraudsters a day before her afternoon reservation at the Ritz. During the phone call, the customer was asked to provide an additional credit card number because her initial payment was declined. After receiving the information, the perp embarked on a shopping spree at Argos, attempting to make several transactions of over £1,000.
Since the customer’s bank flagged the transactions as suspicious, and the payments did not go through, the scammers contacted the victim again, this time masquerading as a bank official. The victim was told that an unauthorized party was trying to use her credit card and, to cancel the transaction, she should read the security code sent via SMS to her phone.
As we all know, this extra layer of security is meant to avoid fraudulent use of credit cards in case the card is stolen or suspicious activity is noticed by the bank’s fraud control mechanisms. By providing this information, the victim was helping the perps and authorizing the payments made using her credit card.
In response to the news, the Ritz London confirmed that it suffered a security incident that may have compromised some of its customers’ personal data.
“We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information,” The Ritz London said in a tweet on August 16.
The extent of the data breach remains unknown, as the hotel gave no additional details. One thing is clear though: the attackers lost no time capitalizing on the stolen customer data.
In a second tweet posted by the hotel, the Ritz London says it “launched an investigation to identify the cause of the breach,” and that all customers who had their information in the compromised system have been contacted.
“We immediately launched an investigation to identify the cause of the breach, which is ongoing, to find out what happened, how and to prevent this from happening again,” the hotel said. “We have contacted all of our clients whose data may have been compromised and alerted the ICO of the incident.”
While it may have been difficult for the victim to realize she was being scammed in the initial phone call, it’s critical to remember that no financial institution will call to ask your credit card number and security codes sent to validate payments. Moreover, as a rule of thumb, never provide your personal or credit card information to someone who calls you, no matter how convincing they may sound.