• United States




Hard Rock Hotel & Casino suffers data breach

Apr 30, 20153 mins
Data Breach

This week I was at the Interop conference being held at the Mandalay Bay Resort in Las Vegas. I was amazed at the spectacle that was surrounding the Mayweather vs Paquiao fight this coming weekend. Tickets were reportedly going for about $86,000 for ringside. Highway robbery was my initial thought.

It seems that this was nothing in comparison to a criminal issue that the Hard Rock Hotel & Casino was dealing with just down the road. News came out on Thursday that they had suffered a data breach courtesy of a criminal element. The casino made it known that their payment systems in their restaurant, bar and some retail locations had been compromised.

This sounds like a tune we’ve heard before. It sounds awfully similar to the data breaches that we have seen that affected the point of sale systems at Home Depot, Target and so forth. This time it seems that the data breach began on September 3rd, 2014 until it was discovered April 2nd, 2015. Seven months of transactions. Ouch.

Now having spent more than my share of time in Vegas for a wide range of security conferences I can only imagine that the amount of money that was affected by this breach would be massive.

From the breach notification:

This criminal attack was limited to credit or debit card transactions between September 3rd, 2014 and April 2nd, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant. The attack did not affect transactions at the hotel, casino, Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tattoo or Reliquary Spa & Salon.

Please review your credit and debit card statements and report any suspicious activity to your bank. Note that customers usually have no liability for unauthorized charges that are reported in a timely manner.

If you stayed at the Hard Rock in that seven month window you would be well served to check your statements.

The company has engaged with Experian to provide identity protection for affected customers. It is unclear as to the number of affected individuals at this time.

There is a website that people can go to get more information about the breach at but, at the time of this posting the site was not live yet. The date on the breach notice to be sent out is May 1, 2015. So, it is entirely possible that it will be live later today.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author