WTAE in Pennsylvania reports that guests who stayed at Nemacolin Woodlands Resort between May and July may have had their credit card numbers, expiration dates, and CSC numbers exfiltrated by a POS compromise.
Read the statement from Nemacolin Woodlands Resort on WTAE.
One intriguing statement in their release was this:
A private firm investigating this security issue noted that other hospitality outlets using the same point of sale system were also victimized and that the appropriate agencies are working to identify the guilty parties.
So… did someone enable remote access with default login credentials or what? And what POS was this? I’ve reached out to the resort to request more information and will update this blog entry if I get a response.
Update: NWR kindly responded to my inquiry but says that they are not releasing any additional details at this time due to the ongoing investigation.
Update2: From what I’ve been reading, default login credentials should not be an issue if it’s a current version of the software (see also this January 2011 document).
Update3: I contacted Micros who responded with the following statement:
While for reasons of confidentiality and security we do not comment on any specific matters, we can state definitively that MICROS sells only products that have undergone thorough security testing and analysis, and have been further validated in writing by an independent third party qualified security assessor as fully compliant with the PA-DSS security standards. All of MICROS’ validated products appear on the PCI security website, at www.PCISecurityStandards.org.
Finally, we are unaware of any “rash” of compromises. Quite to the contrary, the number of security compromises has declined significantly as more and more merchants are now implementing better security procedures, which include the deployment of only PA-DSS validated products.
So why did the team investigating the Nemacolin breach say that others using the same POS were also victimized? It would be nice to know more about what’s really going on.
I see that Nemicolon is saying this started in May. However, my friends, sister, and I visited Nemicolon at the end of March and it happened to us. I used my new credit card two times, once online and once at Nemicolon. When it was maxed out in Canada, I assumed it was the online transaction. Then two weeks later my sister’s debit card was maxed out in Kanas. Another party with us had a card stolen and used in Kentucky. Not only has Nemicolon not come forward with this information, or notified any guest that might be victims, but they are minimizing the time frame. This is upsetting and not what you would expect from a 5 star resort.
Have you contacted NWR to let them know about your experiences? Sometimes timeframes get revised as forensic investigations go on. If you think this really started earlier, I hope you let them know. And have you asked them about providing credit restoration services at their expense? Please keep us posted.
Micros 9700
Thanks. If you don’t want to say publicly, perhaps you could email me (breaches at databreaches.net) to let me know how you know this? And if you have any other details, do let me know.