On 17 December, Rosewood London learned that an unauthorised party gained access to the hotel’s third party online restaurant reservations platform account by way of vishing. Vishing is a form of cyber-attack whereby someone uses social engineering tactics to persuade individuals to provide personal data. In this case, a hotel employee fell victim to these attacks, which allowed the unauthorised party to access the hotel’s online restaurant reservations account. These attacks occurred on 16 December and 17 December, and on both occasions, the unauthorised party’s access to the hotel’s account was promptly disabled on the same day. While prompt action was taken to disable the unauthorised party’s access to the account, the unauthorised party was able to access limited personal data relating to the hotel’s restaurant and bar patrons that was stored in the hotel’s account with the online restaurant reservation provider. The incident only affected the hotel’s online restaurant reservation account, and not the hotel’s wider systems
What Information Was Involved?
The personal data involved in the incident may have included your first name, last name, email, phone number, basic reservation information and reservation notes (e.g., special occasion). It is important to note that no credit card or payment information was accessed by the unauthorised party.
What We Are Doing?
Promptly after learning of the incident, we commenced (in conjunction with the provider of the online reservation account) an investigation to understand the nature and scope of the incident and secure the hotel’s systems. This included automatically logging all users out of, and forcing password resets for, all the hotel’s accounts with the online restaurant reservation provider. Based on our investigation, we believe the issue has been contained and the unauthorised party no longer has access to the hotel’s account. In addition, we have notified the Information Commissioner’s Office (ICO) and law enforcement about the incident and are working with our data privacy team and external experts to minimise risks posed by this incident.
What You Can Do?
While the personal data involved in the incident was limited, we are aware that some customers have been subjected to subsequent vishing attempts that may be related to the incident.
Should you receive a phone call or email from anyone claiming to be with Rosewood London, or in connection with a past, current or future table reservation at Rosewood London, please do not disclose any personal data and end the call immediately. Rosewood London will never ask for payment details over the phone or by email.
Our guests’ data privacy is of the utmost importance. If you have experienced or experience fraudulent or suspicious activity or would like to speak to a member of our team directly, please contact us by phone +44 (0) 203 747 8720 between the hours of 9am – 5pm GMT or email london.guestservices@rosewoodhotels.com
