Howard Stutz reports that Affinity Gaming has reported a second hacking incident involving its payment card processing system. But although its first incident reportedly affected up to 300,000 customers, Affinity Gaming is confident this breach did not result in the theft of any customer card data after April 28th. They do not indicate when the incident started, however, and how many customers’ card information may have been stolen before April 28th. Nor do they indicate how they learned of the attack (they learned of the first incident from law enforcement).
Here are the statements posted n their website about this incident:
LAS VEGAS, April 28, 2014 – Affinity Gaming recently became aware of an unauthorized intrusion into the system that processes customer credit and debit cards for our casinos. To fully understand this event and its implications, a thorough investigation is under way by Mandiant, a firm with globally recognized expertise in data security and IT forensics. Affinity has implemented controls to secure the credit card processing environment. We currently have no evidence to indicate that credit card data is being stolen. Additional work is ongoing to confirm security of the entire Affinity IT environment. Affinity is notifying law enforcement and gaming regulatory officials, and will fully cooperate with them in response to this matter. As the investigation progresses, we will be providing more information to our customers, as the security of their information is of the utmost importance to us. We also will continue to evolve and enhance our system security, in response to new and emerging threats.
UPDATE, May 5, 2014 – Affinity Gaming and its IT experts indicate that no credit card data was stolen after late afternoon April 28, 2014. The extensive investigation continues. In addition to upgrading our system, Affinity Gaming has established a confidential, toll-free inquiry line to assist its customers. The confidential inquiry line is available Monday through Friday, 6:00 a.m. to 6:00 p.m. P.S.T. and can be reached at (877) 238-2179 (U.S. and Canadian residents) or +1 (814) 201-3696 (international residents).
Affinity’s previous incident was disclosed in December 2013. Their statement on that incident can be found here.
Given that the FTC opened an investigation against Wyndham, who also experienced repeated hacking incidents, it will be interesting to see what, if anything, the FTC does about Affinity Gambling, particularly if their attempts to address the first incident were insufficient to prevent the second incident.