The Hard Rock Hotel & Casino in Las Vegas discovered a major breach of their credit card processing data with card scraping malware placed on its payment-card system. Cardholders who purchased anything at Hard Rock Las Vegas including restaurant and retail outlets between October 27, 2015 and March 21, 2016, could have been affected. The popular Las Vegas party resort popular with celebrities first noticed irregularities in May.
The Hard Rock described the data that was taken:
"The investigation identified signs of unauthorized access to the resort’s payment card environment. Further investigation revealed the presence of card scraping malware that was designed to target payment card data as the data was routed through the resort’s payment card system. In some instances the program identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the program only found payment card data that did not include cardholder name. No other customer information was involved."
"Once again, we see another hotel being breached by what is suspected to be malware that was placed on a payment-card system," stated John Christly, who is a Cybersecurity Evangelist at Netsurion. "Customers like this need to understand that they are in a digital war with the hackers that want this type of data." Christly bluntly calls this "a a war that is being won, in many instances, by these hackers and that absolutely needs to change."
“Hospitality organizations are ideal targets for the cybercriminal today because they handle highly valuable personal and financial information—the proverbial goldmine for the cyberthief. Large, well-known chains are even more susceptible targets due to the sheer volume of data that they store and share.
Unfortunately, many of these companies have antiquated IT security technology in place, which is an easy workaround for the hackers. It’s a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left. By then, it’s too late. The focus for IT departments needs to be on protection, not detection, and installing modern secure Web gateways and advanced endpoint protection solutions that can stop malware and cyberattacks from compromising data and negatively impacting their businesses and customers.”
"We advise our customers that any business, regardless of size, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target, but it’s still no secret that large brand name companies like Hard Rock are unfortunate targets for hackers— enticing them with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities, added Christly. "Many recent breaches have involved malware that, once installed, works to steal sensitive data."
"There’s no silver bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn’t leave the network without the admin’s knowledge and if data is sent out, it only goes to verified Internet addresses. This is where having a relationship with a managed security provider can help, since it is very difficult to defend against the emerging threats of today’s cybersecurity world on your own.”
According to the Wall Street Journal, "In the past year, Hyatt Hotels Inc., Starwood Hotels & Resorts Worldwide Inc. and Hilton Worldwide Holdings Inc. all reported data breaches of their credit and debit-card processing systems."