Industry News

Casino customers and employees put at risk after FireKeepers hack

Two months ago the FireKeepers Casino and Hotel in Battle Creek, Michigan, warned that it was investigating a “possible data security incident” involving its Point Of Sale (PoS) systems.

Whenever you hear news like that you hold your breath, cross your fingers and hope for the best – perhaps the fear will be unwarranted, and it will be found that no such breach occurred.

Well, I’m afraid there is bad news for FireKeepers’ customers, employees and even former staff, as the hotel and casino has now confirmed that it did indeed suffer a data breach – exposing personal data and payment card information.

firekeepers-600

Source: FireKeepers

Approximately 85,000 credit and debit cards used to make food, beverage and retail purchases between September 7 2014 and April 25 2015 are thought to have been put at risk by the hack, exposing cardholder names, card numbers, verification codes and expiry dates.

But the risk doesn’t end there, according to an advisory published for current and past employees:

During the course of our investigation, on May 6, 2015, FireKeepers also determined that there may have been unauthorized access to a file storage server, which contained the personal information of certain customers stored on its file storage server, such as Social Security number and/or driver’s license number. Neither FireKeepers nor its forensic investigators have found evidence of unauthorized access or misuse of the personal information.

The silver lining on the cloud is that, so far, the company hasn’t uncovered any evidence that workers’ social security and driving licence numbers, and other personally identifiable information, has been abused by criminals for the purposes of identity theft.

However, now that information is potentially in the hands of the computer underground – who could choose to exploit it at anytime, perhaps waiting years before they strike.

In the statement posted on its website, FireKeepers used the traditional wording deployed by many companies after a serious breach that it takes security “seriously”.

seriously

Source: FireKeepers

Such phrases are becoming so common that it’s almost possible to track the latest breach announcements just by Googling for variations on it.

FireKeepers Casino and Hotel says that it now has its systems properly secured, and payment card data can now be processed securely.

Furthermore, the company says that it has install new PoS equipment, and has tightened its security with increased firewall protection and two-factor authentication.

Of course, ideally all of these measures would have been made *before* the criminal hackers broke into FireKeepers’ systems and stole their data. And it’s likely that past customers (and indeed current and former employees) will be nervous of trusting the resort again with their personal and payment information.

In short – sloppy security can hit your business hard. If you don’t make information security a board level issue then your company is effectively playing Russian roulette with its future.

R. Bruce McKee, the president of FireKeepers Casino and Hotel, has announced that he is set to retire at the end of this year.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.