From their notice of December 1 (and no, this isn’t related to the Starwood properties’ breach disclosed recently):
Kalahari Resorts recently became aware of a possible security incident involving credit and debit card data reportedly used at our food & beverage, retail and spa outlets at our Wisconsin (1305 Kalahari Dr., Wisconsin Dells, WI 53965) and Ohio (7000 Kalahari Dr., Sandusky, OH 44870) sites. An investigation into this incident was immediately initiated. Our team, including third-party forensics experts, has been working continuously to understand the nature and scope of the incident. This investigation is ongoing. The incident has been contained and our customers can safely use payment cards at all Kalahari Resorts locations.
We believe that the intruder installed malicious software designed to capture data from certain credit and debit cards that were used at our resort outlets (such as restaurants, bars, retail and spa) between May 18, 2015 and November 9, 2015. The incident did not impact our hotel reservation or front desk systems, nor did it impact any transactions at our Pennsylvania resort. The incident could affect credit and debit card data, including card number, cardholder name, card’s expiration, and card verification code. However, we have not determined that any specific individual’s credit or debit card data was affected by this incident.
We take the privacy of personal information very seriously and deeply regret any inconvenience that this may cause our valued guests. We have been in contact with the U.S. Secret Service and will continue to fully cooperate with their investigation.
[…]
Kalahari did not disclose the number of affected consumers. They report learning of the problem in late October when they were “alerted” to the problem, but they do not indicate who alerted them and whether it was someone whose payment card information had been misused.