Payment card data stolen in months-long attack
The Hard Rock Hotel & Casino Las Vegas reported on Monday that cyber criminals were able to access customer payment data. The scheme was carried out by using card scrapping malware installed in the casino’s payment system.
The size of the data breach has not been revealed, but officials with the company warned that anyone who used payment cards at the resort between October 27, 2015 and March 21, 2016 could have been exposed to a threat.
An unnamed cyber security firm first identified the malware. The malicious software was able to isolate payment card information as it was routed though the casino’s computer system. Details like card number, expiration date, cardholder name, and the internal verification code were all exposed.
This is the second time that The Hard Rock Hotel & Casino fell prey to a malware attack. Embedded software previously discovered in the company’s computer system was used to steal payment card data from late 2014 to early 2015.
The issue of cyber security, however, is hardly limited to this one resort. Hospitality giants including Hilton, Mandarin Oriental Hotel Group, and Starwood Hotels have all been targeted by cyber criminals in the last year. Hyatt reported in early 2015 that 250 of its global properties had been affected by a data breach.
The overall frequency of large scale breaches has declined in recent years, but the hospitality industry remains a popular target. That is largely due to the fact that resorts collect and share a large volume of highly valuable personal and financial information. Many also rely on outdated IT systems that have not been updated to defend against sophisticated threats.
Hotels are also unique in that they maintain large public Wi-Fi networks. In past incidents, hackers have targeted hotel occupants rather than hotel administrators and successfully stolen user’s sensitive information, including passwords.
Experts warn that the frequency and severity of these breaches is expected to increase. Hotels, resorts, casinos and other businesses without a clear “tech” focus often underestimate the threat of cyber criminals. Many also lack the institutional resources necessary to detect and deflect complex attacks. Until the strength of the defense matches the strength of the offense, resort guests will continue to be put at risk.
Travelers concerned about cyber security are advised to be careful when using public Wi-Fi networks, to avoid untrusted ATM machines, and to keep all devices on your person at all times. Unfortunately, there is no way for travelers to protect their payment card data if a resort is using a vulnerable computer system.
Leave a Reply