Cyber Incident Victim: The Ritz London
Date:
Aug 2020
Location:
United Kingdom
Summary
Scammers impersonated staff at a luxury London hotel, contacting diners with precise reservation details to fraudulently obtain payment card information through spoofed calls appearing to originate from the establishment. The attackers attempted high-value transactions at a retail chain and subsequently posed as bank representatives to extract security codes, exploiting compromised booking data from the hotel's food and beverage reservation system. The organization acknowledged a potential breach, initiated an investigation into unauthorized access of customer records, and notified both affected patrons and regulatory authorities, emphasizing that legitimate confirmation calls never solicit card details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2020, diners with reservations at The Ritz hotel in London were targeted by scammers who obtained precise details of their restaurant bookings. The fraudsters posed as hotel staff, contacting victims by phone shortly before their scheduled reservations—in one case, the day prior to an afternoon tea booking. Calls appeared to originate from the hotel’s legitimate phone number due to caller ID spoofing, a technique described by cybersecurity experts as relatively simple to execute. Attackers referenced specific reservation times and locations, lending credibility to their claims. They requested victims "confirm" bookings by providing payment card details, falsely stating initial cards had been declined to solicit additional card information. After obtaining card data, scammers attempted high-value transactions exceeding £1,000 at retailer Argos. In at least one instance, when the victim’s bank flagged suspicious activity, attackers escalated their approach by impersonating bank representatives. They instructed the victim to read security codes sent via SMS, which would have authorized fraudulent transactions instead of canceling them. A second victim who booked via telephone reported identical tactics, though inconsistencies in the scammer’s knowledge of hotel facilities raised suspicions.
The Ritz confirmed awareness of a potential data breach within its food and beverage reservation system on August 12, 2020, initiating an investigation into how attackers accessed customer booking details. The hotel notified the UK Information Commissioner’s Office and proactively emailed potentially affected customers, explicitly warning that legitimate staff would never request credit card information by phone after reservations were made. Financial institutions detected and blocked some fraudulent transactions, preventing full monetary losses for victims. The incident exposed vulnerabilities in caller ID authentication systems and demonstrated attackers’ ability to exploit trusted brand identities through spoofing combined with stolen reservation data. No technical details about the breach mechanism or scope of compromised records were disclosed publicly. The hotel’s response focused on customer notification and reinforcing verification protocols, while cybersecurity professionals emphasized inherent risks of caller ID reliance and the persuasive impact of attackers wielding insider knowledge.