Battle Creek, Michigan-based Firekeepers Casino Hotel recently announced it’s investigating a “possible data security incident” involving the point of sale systems at its Las Vegas facility’s casino, hotel, restaurants and shops.
Vice President of Marketing Jim Wise said the investigation was launched after the casino received “a couple of calls” from guests who were concerned about their bank or credit card statements. “As soon as we learned of the possible incident, we initiated an aggressive investigation, including immediately engaging independent IT forensic experts to assist us.” Wise added FireKeepers notified law enforcement authorities and has proactively replaced its point of sale equipment with equipment that is not tied to the casino’s systems. “We took the additional step of installing new point of sale equipment to ensure our customers can use their credit and debit cards safely at the casino, hotel, and any restaurants or stores on Firekeepers’ property,” he said.
Casino officials have not yet released further information on the number of customers affected, what data had been accessed or when the breach took place. All Firekeepers customers have been advised to check their credit and debit card statements for unusual or suspicious activity. Any information submitted through the website was not part of the breach.
The Firekeepers breach follows the Hard Rock Hotel & Casino Las Vegas’ recent announcement that hackers accessed customer names, credit card numbers, expiration dates and CVV codes for credit and debit card transactions between September 3, 2014 and April 2, 2015 at the property’s restaurants, bars and shops.
Philip Lieberman, chief executive officer at cyber defense firm Lieberman Software, said, “Each breach follows a typical pattern of hiring a forensic company and getting a report that the attack was beyond any reasonable care that the casino or other company could have provided. The truth is that there are rarely any investments in security or process around cyber defense, as well as little concern about the defense of their customers. The fault here could be laid at the door of the CEO and board of directors that failed to provide leadership and direction to protect the company and its customers.”
According to Mark Bower, global director of product management for HP Security Voltage, noted, “Any merchant not considering the repeated warnings and advice—from payment processors, card brands and processing networks who have been illustrating the risks and encouraging their merchants to upgrade their POS security—will be victims of malware.” He added because casinos serve high-value customers, stolen credit and debit cards are highly prized.
Ken Westin, senior security analyst at Tripwire, stated, “I would expect to hear about more casinos being hit. Usually criminal syndicates don’t attack just a single organization, but an entire segment or industry, as they are able to identify common vulnerabilities across them.” He warned, “The casinos themselves should identify any common denominator, be it a payment or service provider, specific applications or trusted business partners that might be the source of a key vulnerability. It can also simply be the case of the criminal syndicates going where the money is.”