More questions than answers after Hard Rock Hotel comes clean over credit card breach

How did the hack last seven months, how was the breach detected and would 'chip and PIN' cards have made a difference?

The Hard Rock Hotel & Casino credit card breach, which was first revealed a few days ago, has left consumers and security experts alike with more questions than answers.

The hotel released a statement letting customers know that there had been a security incident that may have affected their credit card information.

It said the incident may have allowed criminal hackers access to information about credit or debit cards, including names, card numbers and CVV codes if they were used at the hotel and casino's retail and service locations. It did not include PIN numbers or other information, it claimed.

However, the most surprising aspect of the statement is that the hack included many credit or debit transactions that took place between 3 September 2014 and 2 April 2015.

Ken Westin, senior security analyst at Tripwire, said that the glaring feature of the breach was that it went undetected for seven months.

However, he said that the fact that the compromise was not detected by the hotel itself is not surprising, because many retailers have not been able to detect the presence of point-of-sale (POS) malware or exfiltration of card data.

"Most of the time, the retailers discover the breach when the Secret Service or fraud analysts at banks notify them that they have detected credit card fraud patterns, or stolen cards in underground markets that put their point-of-sale systems as the origin of the breach," he said.

"In their statement, the Hard Rock Casino did not state how they detected the breach, so it is not clear if they were notified by an agency or bank, or if they identified it on their own," he added.

In its advice to customers who could have been affected, the hotel said they should review their card statements carefully and check for any fraudulent activity. If they suspect any fraudulent activity they should notify their bank as soon as possible.

George Rice, senior director of payments at HP Security Voltage, said that the breach showed how powerless consumers are when it comes to hotel payments.

"The consumer is somewhat powerless here and must rely on the hotel's data security to prevent their card information from being stolen. Most hotels require a card on file, so cash is not a good option - and we wouldn't want to suggest this anyway," he said.

Unlike the UK, the US does not yet have EMV technology – or ‘chip and PIN' – in wide use, but Rice believes this wouldn't have made much of a difference from a security perspective.

"PIN debit can protect that one transaction but not the personal account number which could be used elsewhere without a PIN," he said.

"EMV is not going to prevent data theft and is not yet a requirement in the US. Payment tokens could help but to my knowledge are generally not accepted at hotels," he added.