Casino customers and employees put at risk after FireKeepers hack

Two months ago the FireKeepers Casino and Hotel in Battle Creek, Michigan, warned that it was investigating a “possible data security incident” involving its Point Of Sale (PoS) systems.

Whenever you hear news like that you hold your breath, cross your fingers and hope for the best – perhaps the fear will be unwarranted, and it will be found that no such breach occurred.

Well, I’m afraid there is bad news for FireKeepers’ customers, employees and even former staff, as the hotel and casino has now confirmed that it did indeed suffer a data breach – exposing personal data and payment card information.

Source: FireKeepers

Approximately 85,000 credit and debit cards used to make food, beverage and retail purchases between September 7 2014 and April 25 2015 are thought to have been put at risk by the hack, exposing cardholder names, card numbers, verification codes and expiry dates.

But the risk doesn’t end there, according to an advisory published for current and past employees:

During the course of our investigation, on May 6, 2015, FireKeepers also determined that there may have been unauthorized access to a file storage server, which contained the personal information of certain customers stored on its file storage server, such as Social Security number and/or driver`s license number. Neither FireKeepers nor its forensic investigators have found evidence of unauthorized access or misuse of the personal information.

The silver lining on the cloud is that, so far, the company hasn’t uncovered any evidence that workers’ social security and driving licence numbers, and other personally identifiable information, has been abused by criminals for the purposes of identity theft.

However, now that information is potentially in the hands of the computer underground – who could choose to exploit it at anytime, perhaps waiting years before they strike.

In the statement posted on its website, FireKeepers used the traditional wording deployed by many companies after a serious breach that it takes security “seriously”.

Source: FireKeepers

Such phrases are becoming so common that it’s almost possible to track the latest breach announcements just by Googling for variations on it.

FireKeepers Casino and Hotel says that it now has its systems properly secured, and payment card data can now be processed securely.

Furthermore, the company says that it has install new PoS equipment, and has tightened its security with increased firewall protection and two-factor authentication.

Of course, ideally all of these measures would have been made *before* the criminal hackers broke into FireKeepers’ systems and stole their data. And it’s likely that past customers (and indeed current and former employees) will be nervous of trusting the resort again with their personal and payment information.

In short – sloppy security can hit your business hard. If you don’t make information security a board level issue then your company is effectively playing Russian roulette with its future.

R. Bruce McKee, the president of FireKeepers Casino and Hotel, has announced that he is set to retire at the end of this year.