Hard Rock Hotels & Casinos has reported a massive security breach linked to the hacking of a third-party platform handling hotel reservations for the gaming giant.
The Loews Hotel chain, which uses the same platform, also was victimized.
The attackers were able to grab unencrypted payment card information for hotel reservations, including cardholder names, card numbers and expiration dates, e-mail addresses, phone numbers and addresses. In some cases, security codes were also exposed.
The avenue for the thefts was Sabre Hospitality Solutions’ SynXis system, the backbone infrastructure for reservations made through hotels and travel agencies. According to Sabre, its software is used by roughly 36,000 hotel properties.
“The unauthorized party first obtained access to payment card and other reservation information on August 10, 2016,” Hard Rock said. “The last access to payment card information was on March 9, 2017.”
Hard Rock properties in Biloxi, Cancun, Chicago, Goa, Las Vegas, Palm Springs, Panama Megapolis, Punta Cana, Rivera Maya, San Diego and Vallarta are all affected.
The company operates 176 cafes, 24 hotels and 11 casinos in 75 countries.
Sabre first reported publicly that an investigation into a possible breach was under way in a quarterly SEC filing in May. News reports said the company did not reveal exactly how the system was breached but had hired cybersecurity firm Mandiant to investigate.
In the case of Loews the attackers were able to steal credit card, security code and password information. In some cases, e-mail addresses, phone numbers and street addresses were also exposed.