The Hard Rock Hotel & Casino in Las Vegas has admitted that criminal hackers may have accessed credit or debit card information in a breach that lasted from Sept. 2014 to last month.
The compromised information includes names, card numbers and CVV codes. The company didn’t give many details, only saying in a website notice that “some” restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant, were affected; the attack did not affect transactions at the hotel, casino, Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tattoo or Reliquary Spa & Salon.
“The trust and loyalty of our customers is our highest priority,” the hotel said in its statement. “We sincerely apologize for this incident, [and] regret any inconvenience it may cause you.”
The statement is short, and refers customers to credit monitoring and fraud detection services.
“The consumer is somewhat powerless here and must rely on the hotel’s data security to prevent their card information from being stolen,” said George Rice, senior director of payments at HP Security Voltage, in an email “Most hotels require a card on file, so cash is not a good option (and we wouldn’t want to suggest this anyway). PIN debit can protect that one transaction but not the PAN which could be used elsewhere without a PIN…and I’m not sure that PIN debit is commonly accepted at hotels anyway. EMV is not going to prevent data theft and is not (yet) a requirement in the US. Payment tokens could help but to my knowledge are generally not accepted at hotels.”
He added, “It’s in every consumer’s best interest to review bank statements and credit reports carefully and regularly.”
Ken Westin, senior security analyst at Tripwire, added that the payments industry as a whole needs to move to point-to-point encryption (P2PE), which can come at a heavy cost because it often requires an overhaul of existing payment systems so this is not something that will happen quickly.
But, “the fact we continue to see retail breaches even after some of the mega breaches over the past year indicates two things,” he noted. “First, attackers are adapting their methods and the sophistication of their tools. Second, many retailers have yet to invest in detection and haven’t yet adapted their defenses to detect these very real threats.”