“This incident may have allowed criminal hackers access to information about credit or debit cards used at certain Hard Rock Hotel & Casino Las Vegas retail and service locations," Hard Rock said in a statement about the breach it announced last week. "The information potentially affected includes names, card numbers, and CVV codes, but does not include PIN numbers or other sensitive customer information.”
No details about the number of compromised accounts has been released. Hard Rock also provided no details about the nature of the attack.
About now, hotel guests need to be asking: is it safe to use a credit card? That’s because the industry has been under a criminal assault for some months. “It’s been the story of the last year or two -- it just keeps happening,” said Brian Beyer, CEO of Red Canary, an endpoint threat detection provider. “Hotels process a lot of credit card information - that makes them a prime target.”
In April, White Lodging - a large hotel management company with some 160 hotels in its portfolio - said it had suffered a breach, its second in as many years. Other breached hotels include management company Destination, with some 40 hotels in its portfolio; also Wyndham Hotels - which operates Ramada, Days Inn, Wyndham and other brands - suffered several breaches in 2008 and 2009 that compromised 600,000 accounts.
At the Hard Rock, the attack lasted for many months. The company pinpointed the timeframe as September 3, 2014 through April 2, 2015.
Understand, too, that hotel operators - said multiple security experts - rarely discover their breaches themselves. The way it usually plays it is that a large bank or three notices an influx of fraud, it hunts for common elements - that is, a retailer victims have in common. When it finds that, it calls the U.S. Secret Service or FBI and shares its findings. The Feds call the hotel, which typically is in a state of happy denial. “That’s not a good call to get,” said Beyer, who also indicated that in many instances that call is the first time a hotel realizes it has been breached.
Does that mean many hotels might have been breached but don’t yet know it? It does indeed. “How many breaches don’t we know about yet because the company does not know it has been breached?” asked Beyer.
Literally thousands of cyber criminals - generally thought to be in Eastern Europe and China, but they could be anywhere - are working full-time at compromising point of sale systems with injections of malware. The crime is essentially foolproof. Chances of arrest and prosecution are close to zilch.
The news gets worse. “We will continue to see these breaches," said Ken Westin, senior security analyst at Tripwire. "The attacks are getting more sophisticated. Right now it is a cash cow for attackers. It’s as though retailers are sitting around waiting to be breached.”
Westin continued: “That’s pretty scary for consumers.”
There’s a reason for inertia, said David Kidd, vice president of governance, risk and compliance at cloud provider Peak 10. “Most of the losses are being absorbed by financial institutions.” In some cases - where a loss is directly tracked back to a breached retailer or hotel - that company may pick up the tab. But the rule, said Kidd, is that it’s the banks that eat the losses.
Consumers - and here is a sliver of good news for you - rarely suffer any financial loss. There may be some inconvenience - challenging fraudulent charges - but, generally, consumers walk away whole. Protections are clearer - and stronger - for credit card holders as opposed to debit card users, said experts. The latter will rarely suffer financial losses but there may be a lag while debited funds are restored and that can mean bounced rent checks, car payments, and similar. This is why increasing numbers of experts suggest using only credit cards at high risk locations such as hotels.
Either way, said George Rice, senior director of payments at HP Security Voltage, “It’s in every consumer’s best interest to review bank statements and credit reports carefully and regularly.” Do that and, honestly, that’s about all a hotel guest can do - but it should be enough to keep you safe from losses due to fraudulent use of your credit information.
—Written by Robert McGarvey for MainStreet