Grand Sierra Resort guest payment cards breached in 2014 and again in 2015

The Grand Sierra Resort in Reno, Nevada, has become the latest hospitality entity to disclose a data breach involving customers’ credit card information.  In this case, there appear to be two time frames during which cards used at their food and retail locations may have been compromised: for a one-month period in 2014 and again during a 5-month period in 2015.

The resort was first notified of a problem by law enforcement in September, 2015, but was not able to confirm the breach until January, 2016. Why it took so long and why it took another three months to disclose this publicly has not been explained. Nor has the number of impacted guests been disclosed or the method of the compromise.

Those affected were not offered any mitigation services such as credit monitoring, and the resort does not indicate whether card issuers were notified.

All in all, not a great situation: failure to detect compromise not once, but twice, and slow to disclose? I wonder if the FTC will investigate this one.

The following material is from the resort’s notice dated April 25, and posted on their web site:

We are writing to notify guests of an unfortunate situation regarding a data security incident that may have affected the security of certain guest payment card information. Below is information on the incident and resources available to protect potentially impacted guests against identity theft or fraud, should they feel the need to do so.

WHAT HAPPENED? On or around September 29, 2015, the Grand Sierra Resort was contacted by law enforcement regarding an investigation into a potential compromise of payment card information used at food and retail locations at the Grand Sierra Resort. We immediately began to cooperate with law enforcement and to investigate this matter. Third party forensics investigators were retained to assist the Grand Sierra Resort. On or around January 11, 2016, these investigators confirmed that certain guest payment card information for cards used at food and retail locations at the Grand Sierra Resort may have been compromised.

WHAT INFORMATION WAS INVOLVED? The investigation has determined that payment card information used at the Grand Sierra’s onsite food and retail locations between February 19, 2014 and March 13, 2014 or March 20, 2015 and August 6, 2015 could be at risk. This includes information like the cardholder’s name, credit card number, credit card expiration date, Track 1 data and Track 2 data. Please note that this incident did not affect payment cards used to book or pay for lodging.

WHAT WE ARE DOING? Since discovering the compromise, we have worked closely with law enforcement and our forensics investigators to determine what happened, what information may be at risk and to whom this information may relate. Additionally, as part of our ongoing commitment to the security of the personal information in our care, we have worked diligently to enhance existing security measures to prevent further unauthorized access to guest payment card information.

WHAT YOU CAN DO. We encourage potentially impacted guests to review the information below on how to better protect against identity theft or fraud.

FOR MORE INFORMATION. We apologize for any inconvenience and concern this incident causes you. The security of our guests’ personal information is one of our highest priorities. Should you have any questions about the content of this notice or ways you can protect yourself from the possibility of identity theft, please call our dedicated hotline at (877) 216-3789 between 9 a.m. and 7 p.m. EST, Monday to Friday. Please use reference number 6216041816 when calling.

The full notice can be found here.

About the author: Dissent