Las Vegas NV (hospitalitybusinessnews.com) The Hard Rock Hotel & Casino Las Vegas has issued a statement to customers notifying them of a data breach at the hotel and casino. This is at least the second incident that hospitalitybusinessnews.com is aware of. The last incident occurred in 2015
John Christly, CISO at Netsurion, a provider of remotely-managed security services, told hospitalitybusinessnews.com, “Once again, we see another hotel being breached by what is suspected to be malware that was placed on a payment-card system. Customers like this need to understand that they are in a digital war with the hackers that want this type of data. It’s a war that is being won, in many instances, by these hackers, and that absolutely needs to change. The entire industry, regardless of vertical specialty, needs to wake up and realize that traditional cybersecurity defenses are no longer working. Even more important is the fact that the patrons of these establishments should expect, and for sure deserve, the absolute security of their data that is entrusted to these companies.
New defensive approaches, advanced cybersecurity tools and increased cyber intelligence need to be deployed, which usually come from a relationship with an outside vendor due to the specialized knowledge needed to understand what the tools and resulting information being gathered is telling you. Possible tools include things like File Integrity Monitoring (to tell you when files have changed that weren’t supposed to change), Unified Threat Management appliances (used to integrate security features such as firewall, gateway anti-virus and intrusion detection), Security Information and Event Management (used to centrally collect, store and analyze log data and other data from various systems in order to provide a single point of view from which to be alerted to potential issues), and next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems).
Only then, when systems like this are in place and being managed appropriately, will you be able to have the processes within the programs and the computer operating system and memory watched for suspicious activity— and have those tools talk to other tools that have even deeper threat intelligence from a network of other deployed sensors. These advanced toolsets should ideally be outsourced to a managed security firm that specializes in this type of service, which includes having expert threat researchers that are constantly looking for new activity that could point to a hacker trying to steal data from your systems.”
According to Christly, Netsurion advises customers “that any business, regardless of size, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target, but it’s still no secret that large brand name companies like Hard Rock are unfortunate targets for hackers— enticing them with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities. Many recent breaches have involved malware that, once installed, works to steal sensitive data. There’s no silver bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn’t leave the network without the admin’s knowledge and if data is sent out, it only goes to verified Internet addresses. This is where having a relationship with a managed security provider can help, since it is very difficult to defend against the emerging threats of today’s cybersecurity world on your own.”
The Hard Rock Hotel & Casino Las Vegas issued the following statement:
After receiving reports of fraudulent activity associated with payment cards used at the Hard Rock Hotel & Casino Las Vegas, the resort began an investigation of its payment card network and engaged a leading cyber-security firm to assist. On May 13, 2016, the investigation identified signs of unauthorized access to the resort’s payment card environment. Further investigation revealed the presence of card scraping malware that was designed to target payment card data as the data was routed through the resort’s payment card system. In some instances the program identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the program only found payment card data that did not include cardholder name. No other customer information was involved. It is possible that cards used at certain restaurant and retail outlets at the Hard Rock Hotel & Casino Las Vegas between October 27, 2015 and March 21, 2016, could have been affected.
It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take to protect your information.
We have notified law enforcement officials and are supporting their investigation. We are also working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards. We also continue to work with the cyber security firm to further strengthen the security of our systems to help prevent this from happening in the future.