All was not rock and roll at the Hard Rock Hotel & Casino Las Vegas on Monday. The resort said in a statement that it had been the target of a system hack via card-scraping malware that left sensitive customer payment card information vulnerable and accessible. The breach was discovered when Hard Rock received reports of fraudulent activity on the cards, but the catch came about five months too late. According to the statement, the malware has been present on select restaurant and retail point-of-sale (POS) systems throughout the resort from October 27, 2015 and March 21, 2016.
This isn’t the first time this has happened to the popular Las Vegas staple. In May of 2015, the casino experienced another malware attack targeting its card-processing systems, allowing attackers to access credit and debit card information. Both incidents add fuel to the broader discussion and increasing demand for deeper and more intelligent cybersecurity processes. John Christly, chief information security officer (CISO) at Netsurion, says that there is great need for significant changes and updates in monitoring, defense tools and threat management.
"Once again, we see another hotel being breached by what is suspected to be malware that was placed on a payment-card system," Christly told Info Security Magazine. "Customers like this need to understand that they are in a digital war with the hackers that want this type of data. It’s a war that is being won, in many instances, by these hackers, and that absolutely needs to change. The entire industry, regardless of vertical specialty, needs to wake up and realize that traditional cybersecurity defenses are no longer working.”
“Megabreaches” of payment card data have actually been on the decline recently, but attackers are still finding ways in. No one is immune, not even the fast casual food industry. On Tuesday, Noodles & Company, a restaurant chain with over 500 locations across 35 states, announced that its systems had been hacked and payment card information potentially compromised. As with the Hard Rock occurrence, the attack was detected when unusual activity was reported on cards used at some of Noodles & Company restaurants. Experts found a piece of malware said to have been in place since January 31 that cybercriminals planted to gain access to customers’ debit or credit card information. The attackers potentially could have accessed vital specifics such as card numbers, the cardholder name, security numbers and even expiration dates.
To prevent future attacks, Noodles & Company is currently undergoing considerable measures to beef up its system security, and is working to assure those affected by the attack – as well as the general public – that the malware has been removed from its systems and that folks can safely and securely make card purchases at any of the chain’s location. But, as we saw with Hard Rock’s two malware attacks, this invites a fair amount of skepticism as not all malware bugs are detected and caught during the initial sweep.
There are even variances and forms of malware and viruses that slip past the noses of large tech companies. Last Wednesday, Microsoft detected the beginning of a large-scale attack against its Office 365 users. The attack, discovered by Avanan's Cloud Security Platform, came by way of a ransomware virus called Cerber, which acts through email and encrypted files. This is an interesting but vicious bug. Once Cerber infects the files, it essentially demands that a ransom be paid in order for the user to regain access to their own files – a hostage situation, but with documents and photos. Thankfully, Microsoft detected the attack early and blocked the virus the next day.
Even with advancements in boosting security, efforts surrounding prevention and the overall decline of these attacks, there are still many cyber hurdles to cross in terms of early and complete detection. In the meantime, it’s not likely that we’ll see these types of stories disappear from headlines anytime soon.