Industry News

Hard Rock’s Las Vegas Hotel & Casino hit by hackers

If you visit the website of Las Vegas’s Hard Rock Hotel and Casino right now, you may spot a message at the top of the page.


Didn’t notice it? Take a closer look.


If you click on the link about the “data security incident”, I’m afraid it’s not good news.

Because the 640-room hotel is warning that for some seven months, hackers were able to steal customers’ credit and debit card details from retail outlets (including restaurants and bars) at the Hard Rock Las Vegas property, but not the hotel and casino.

“This criminal attack was limited to credit or debit card transactions between September 3rd, 2014 and April 2nd, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant. The attack did not affect transactions at the hotel, casino, Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tattoo or Reliquary Spa & Salon.”

It appears that, in line with other recent attackers against retailers, point of sale (PoS) devices were infected with RAM-scraping malware that was able to exfiltrate sensitive data when unencrypted in memory.

The information stolen by the hackers includes the names of cardholders, credit and debit card numbers and CVV codes. PIN codes were not included in the information exposed.

According to a notification sent to New Hampshire’s Department of Justice, approximately 173,000 unique payment cards were used at the affected locations during the at-risk time period.

Many people go to Las Vegas with the knowledge that they might leave with less money than they started out with, but it’s hardly fun to know that your bank balance may be lower because of the acts of criminal hackers.

According to the Hard Rock Las Vegas Hotel and Casino, law enforcement agencies were informed of the security breach shortly after its discovery in early April, but public disclosure has been delayed until now at the FBI’s request to aid the investigation.

The company says it will attempt to notify all affected customers who it is able to identify. Personally I think it would be a good idea if they were a little more obvious in the warning on the home page of their website, but I guess we should be grateful that it is even mentioned there at all.

More information on the anti-fraud services the company is offering affected customers can be found in the Hard Rock Hotel’s statement on its website.

“We sincerely apologize for this incident, regret any inconvenience it may cause you and encourage you to take advantage of the product outlined herein. Should you have questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact us at 888-829-6551.”

One has to hope that the resort is taking a long hard look at its security, and putting systems in place to avoid any customers’ information being stolen again.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Graham, Dude
    Security is secondary to the amount of money being made hand over fist in this industry. this is my surprised face :~p

    these places don’t care about security. they only care about having 6 and 7 figure income jobs in the business that gives people and outsiders the illusion of being secure, with big important sounding 3 and 4 syllable words to promote the smoke and mirror dog and pony show security in the cloud that is all too soon to vaporize. these security clowns haven’t got a single thought that resembles any semblance of security inside their heads.

  • CVV codes were included? That seems odd. I didn’t think CVV codes were included on the mag stripe and given that the breach took place at retail and F&B locations I wouldn’t think there would be many CNP transactions.

  • I like how they start out the disclosure with, “This criminal attack was limited to” as if that’s good news. Companies need to understand that they will get hacked, so knowing when that happens and controlling data that leaves the network is what they have to focus on. Also maybe stop buying the same POS POS software. (see what I did there?)