The Hard Rock Hotel & Casino in Las Vegas Monday reported a data breach after point-of-sale (POS) malware was found on the resort’s systems.
The Rock and Roll themed casino launched an investigation after receiving reports of fraudulent activity associated with payment cards used at the venue, according to the Notice of Data Breach submitted to the California Attorney General.
“On May 13, 2016, the investigation identified signs of unauthorized access to the resort’s payment card environment,” the notice said.
Anyone who used their cards used at the casino or certain restaurants and retail outlets within the venue between Oct. 27, 2015 and March 21, 2016, may have been affected.
Cardholder names, card numbers, expiration dates, and internal verification codes may have been compromised, though in some cases card holder’s name were not captured.
The Hard Rock Hotel & Casino notified law enforcement of the incident and is working with payment card networks to ensure that the affected accounts are monitored accordingly. The resort is also working with a cybersecurity firm to strengthen its systems.
Last year, the resort reported a similar incident when malware was spotted on the POS server, but was contained due to precautionary measures taken by the hotel.
Hospitality organizations are ideal targets for cybercriminals because they handle highly valuable personal and financial information Zach Forsyth, a director of technology innovation at cyber security firm Comodo told SCMagazine.com via email.
He said large, well-known chains are even more susceptible targets due to the sheer volume of data that they store and share adding that many of these firms have antiquated IT technology in place.
“It’s a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left,” Forsyth said.
Forsyth said companies should focus should be on protection rather than detection and that they should invest in modern secure Web gateways and advanced endpoint protection solutions that can stop malware and cyberattacks.
John Christly, CISO at Netsurion, a provider of remotely-managed security services for multi-location businesses, agreed.
“The entire industry, regardless of vertical specialty, needs to wake up and realize that traditional cybersecurity defenses are no longer working,” Christly said. “Even more important is the fact that the patrons of these establishments should expect, and for sure deserve, the absolute security of their data that is entrusted to these companies.”