If you visit the website of Las Vegas’s Hard Rock Hotel and Casino right now, you may spot a message at the top of the page.
Didn’t notice it? Take a closer look.
If you click on the link about the “data security incident”, I’m afraid it’s not good news.
Because the 640-room hotel is warning that for some seven months, hackers were able to steal customers’ credit and debit card details from retail outlets (including restaurants and bars) at the Hard Rock Las Vegas property, but not the hotel and casino.
“This criminal attack was limited to credit or debit card transactions between September 3rd, 2014 and April 2nd, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant. The attack did not affect transactions at the hotel, casino, Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tattoo or Reliquary Spa & Salon.”
It appears that, in line with other recent attackers against retailers, point of sale (PoS) devices were infected with RAM-scraping malware that was able to exfiltrate sensitive data when unencrypted in memory.
The information stolen by the hackers includes the names of cardholders, credit and debit card numbers and CVV codes. PIN codes were not included in the information exposed.
According to a notification sent to New Hampshire’s Department of Justice, approximately 173,000 unique payment cards were used at the affected locations during the at-risk time period.
Many people go to Las Vegas with the knowledge that they might leave with less money than they started out with, but it’s hardly fun to know that your bank balance may be lower because of the acts of criminal hackers.
According to the Hard Rock Las Vegas Hotel and Casino, law enforcement agencies were informed of the security breach shortly after its discovery in early April, but public disclosure has been delayed until now at the FBI’s request to aid the investigation.
The company says it will attempt to notify all affected customers who it is able to identify. Personally I think it would be a good idea if they were a little more obvious in the warning on the home page of their website, but I guess we should be grateful that it is even mentioned there at all.
More information on the anti-fraud services the company is offering affected customers can be found in the Hard Rock Hotel’s statement on its website.
“We sincerely apologize for this incident, regret any inconvenience it may cause you and encourage you to take advantage of the product outlined herein. Should you have questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact us at 888-829-6551.”
One has to hope that the resort is taking a long hard look at its security, and putting systems in place to avoid any customers’ information being stolen again.