Cyber Incident Victim: Fontainebleau Florida Hotel

Fontainebleau Florida Hotel, LLC identified a cybersecurity incident affecting its computer systems, with unauthorized access occurring between August 30, 2022, and September 2, 2022. The hotel engaged a cybersecurity firm to investigate the breach, which confirmed that an external actor had infiltrated its network during this four-day period. The investigation revealed the intruder accessed files containing sensitive consumer information, though the specific attack method was not disclosed in the company's regulatory filing. Fontainebleau Hotel conducted a review of the compromised files to determine the scope of impacted individuals and the types of data exposed. This analysis confirmed that personal information belonging to 18,653 consumers was accessed without authorization, prompting the organization to initiate notification procedures.

On May 9, 2023, Fontainebleau Hotel formally reported the breach to the Office of the Maine Attorney General and began mailing individualized notifications to affected persons. The compromised data included names, Social Security numbers, and financial account information, with the exact combination varying per individual. The Miami Beach-based hotel and resort, which operates extensive hospitality facilities generating approximately $85 million annually, did not publicly disclose technical details about the affected systems or containment measures beyond engaging external cybersecurity expertise. The incident exposed highly sensitive identifiers that could facilitate identity theft and financial fraud against impacted guests. Fontainebleau Hotel's disclosure emphasized the confirmed timeline of unauthorized access and the types of personal data compromised but did not provide additional specifics regarding operational disruptions, forensic findings, or post-incident security enhancements implemented by the organization.