The company has hired a security firm to look into reports from several financial institutions about a pattern of fraud on credit cards used at Hershey properties.
Specifically, sources at three financial institutions told Krebs they detected a pattern of fraudulent activity on cards used at Hershey locations, including food and beverage outlets, ticket stations and the Hershey Lodge, between mid-March and late May 2015.
"We have received reports from some of our guests that fraud charges appeared on their payment cards after they visited our property," Hershey Entertainment and Resorts Company director of communications Kathleen McGraw told Krebs. "We take reports like this very seriously."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"While our company does have security measures in place designed to prevent unauthorized access to our network, we immediately began to investigate our system for signs of an issue and engaged an external computer security firm to assist us," McGraw added. "The investigation is ongoing."
Mark Bower, global director of product management for HP Security Voltage, told eSecurity Planet by email that hospitality service providers like Hershey face additional challenges regarding payment card security. "Card on file transactions are common, meaning card data is often stored longer than typical retailers to maintain customer bookings and for resort service charges after check-in," he said.
"Feeds from online booking systems often channel card data from various sources and third parties over the Internet, creating additional possible points of compromise," Bower added. "Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information."