If you’ve stayed in one of the over 1400 hotels in 70 countries that make up the Radisson Hotel Group, you could be in for a rude awakening.

The hotel chain – which includes brands like Park Plaza, Park Inn, Radisson Blu, Radisson Red, Country Inn & Suites, and Radisson Collection – has announced that it has suffered what it euphemistically describes as a “data security incident” (but you and I might possibly call a “hack”) impacting “a small percentage” of members of its loyalty and rewards scheme.

Fortunately, no passwords or financial information was exposed. So that’s some good news.

However, a few things do still jump to my attention.

One is that Radisson isn’t saying how many of its Rewards members were affected. The most they’re currently prepared to do is describe it as a “small percentage”. My guess is that they’re doing that in the belief that giving a number might only add fuel to the fire.

Secondly, it’s disappointing that there’s no indication of how the breach might have occurred. Was there a vulnerability on the Radisson Rewards website that has now been fixed? Were some accounts compromised because the hackers were able to break in using credentials that perhaps they scooped up in an earlier attack against a different website? We don’t know, because Radisson isn’t sharing any details.

Third, when did the breach occur and how long has it taken to inform exposed customers?

The hotel chain says it that it discovered on October 1st that personal information about Radisson Rewards members, including their names, physical addresses, countries of residence, email addresses, company names, telephone numbers, frequent flyer numbers, and Radisson Rewards numbers had been compromised during the breach.

However, it took until October 30th and October 31st for Radisson Hotel Group to inform affected customers, and -according to reports – the breach itself occurred on September 11th.

One wonders what held up the hotel’s disclosure of the security breach between the start and end of October.

While we’re waiting for an answer to that one, Radisson Rewards members would be wise to keep an eye open for any attempts by scammers to use phishing emails or unsolicited phone calls luring them into clicking on links, or sharing further personal information.

Even if you’ve never stayed at a hotel owned by the Radisson group this is still a case that should be watched with interest. In all likelihood, Radisson’s “small percentage” of affected customers will include Europeans, which will mean that the hotel chain’s breach will fall under GDPR regulation.

If the-powers-that-be investigate the breach and determine that Radisson’s security was lax, it could be fined up to 10 million euros or 4% of its annual global turnover (whichever is higher.)

Ouch.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.