Identity thieves have hit Las Vegas’ Hard Rock Hotel and Casino in a massive data breach that includes credit card numbers, names, and addresses, according to reports
The company says it found malware on its systems which was used to pinch the data from its retail and service locations. The gang did not make off with PINs, the company said in a statement.
Hard Rock said it uncovered the attack on April 3rd and the affected card transactions were between September 3rd 2014 and April 4th of this year. Skimmed transactions were at its restaurant, bar and retail shops. The casino and hotels were unaffected.
Point of Sales malware is becoming more sophisticated and successful at stealing vulnerable magnetic stripe data from US credit cards.
The fresh attack, similar to those at Target and Home Depot highlight two issues.
The first is that the U.S. still used insecure magnetic stripes to process transactions. The rest of the world has moved to highly secure chip and pin technology. The delayed move to the new technology is because fraud losses have tended to be small relative to the massive investment to migrate to the new technology. Yet individual cardholders are now feeling the pain of this decision as cyber-criminals perpetrate large scale card skimming that takes advantage of this known vulnerability.
The second issue this highlights is why it took a full month for Hard Rock to notify the public. The size of the data breach is massive and the earlier those affected know about it the better they can protect themselves. Some states have enacted mandatory data breach disclosure laws and it seems in this case they would have helped victims. Hard Rock has very little excuse for not promptly notifying customers affected, who now will have suffered greater loss as a result of the delay.