Firekeepers Casino Hotel Acknowledges Possible PoS Breach


Michigan's Firekeepers Casino Hotel recently announced that it's investigating a "possible data security incident" involving the point of sale (PoS) systems for its casino, hotel, restaurants and shops.

At this point, there's no further information available on how many customers may have been affected, what data may have been accessed, or when the breach may have taken place.

"As soon as we learned of the possible incident, we initiated an aggressive investigation, including immediately engaging independent IT forensic experts to assist us," the casino said in a statement.

"While the investigation continues, we took the additional step of installing new point of sale equipment to ensure our customers can use their credit and debit cards safely at the casino, hotel, and any restaurants or stores on Firekeepers’ property," the hotel added.

All Firekeepers customers are being advised to check their credit and debit card statements for unusual or suspicious activity. "We do not yet know what information, if any, may have been impacted," the hotel stated. "Once we obtain this information, we will be able to determine whether credit monitoring and/or identity protection services will be of any benefit."

The Firekeepers breach follows last week's announcement from the Hard Rock Hotel & Casino Las Vegas that hackers accessed customer names, credit card numbers, expiration dates and CVV codes for credit and debit card transactions between September 3, 2014 and April 2, 2015 at Hard Rock's restaurants, bars and shops.

Mark Bower, global director of product management for HP Security Voltage, told eSecurity Planet by email that PoS systems are the simplest attack point in retail. "Any merchant not considering the repeated warnings and advice -- from payment processors, card brands and processing networks who have been illustrating the risks and encouraging their merchants to upgrade their PoS security -- will be victims of malware," he said.

"Given the high value customers casinos serve, stolen credit and debit cards from this sector are prized by attackers," Bower added. "High spend limits and top tier cards with a proven rapid 'stolen data-to-cash' cycle make casinos a prime target for attacks to vulnerable PoS systems throughout the casino network."

Lieberman Software CEO Philip Lieberman said the fact that Firekeepers doesn't yet know the scope or impact of the breach is typical of companies that have focused on auditor satisfaction rather than true cyber security. "Each breach follows a typical pattern of hiring a forensic company and getting a report that the attack was beyond any reasonable care that the casino or other company could have provided," he said.

"The truth is that there are rarely any investments in security, or process around cyber defense; as well as little concern about the defense of their customers," Lieberman added. "The fault here could be laid at the door of the CEO and board of directors that failed to provide leadership and direction to protect the company and its customers."

Ken Westin, senior security analyst at Tripwire, noted by email that since a recent FBI security advisory warned of breaches at several hotels and casinos, it's reasonable to expect more such announcements in the near future. "Usually criminal syndicates don't attack just a single organization, but an entire segment or industry, as they are able to identify common vulnerabilities across them," he said.

"The casinos themselves should identify any common denominator be it a payment or service provider, specific applications, or trusted business partners that might be the source of a key vulnerability," Westin added. "It can also simply be the case of the criminal syndicates going where the money is.”