Guests dining at the luxury Ritz hotel in London were targeted by scammers who posed as hotel staff to steal payment card details.
The fraudsters phoned the clients of the hotel asking them to confirm their restaurant bookings by providing their payment card details.
To cash out the payment card data obtained, the scammers tried to make purchases at the catalogue retailer Argos.
The hotel has launched an investigation into a data breach and notified the Information Commissioner’s Office (ICO).
According to a BBC report, a woman who had made an online booking for afternoon tea at the Ritz as part of a celebration, received a call the day before her reservation. The scammers asked her to “confirm” the booking by providing her payment card details.
The call was convincing as it appeared to have come from the hotel’s real phone number, and the scammers were exactly aware of her reservation. The scammers might have used caller ID spoofing to be convincing.
The scammers told the client that her payment card had been declined, and asked her for another bank card. They then tried to make several transactions in excess of £1,000 at the catalogue retailer Argos.
When the bank noted the suspicious transactions, the scammers again contacted the victim by phone, this time impersonating as her bank, to obtain the security code with a trick.
Scammers told the victim of a fraudulent transaction and asked for the security code sent to her mobile phone to cancel it. On getting the code, they managed to successfully complete the transaction.
The Ritz confirmed that it had been made aware of a potential data breach that impacted the “food and beverage reservation system” on 12 August. They added that this may have led to the compromise of some of their clients’ personal data.
The hotel sent data breach notification to all the impacted customers stating that once a reservation has been made at the Ritz London, their team will never contact the guests by telephone to request credit card details to confirm the booking.
The extent of the security breach, number of people affected and how scammers obtained reservation data are not known at the moment.