HP Security Voltage, Lieberman Software and Tripwire commented on the current spate of casino data breaches, after the recent Hard Rock news and new admission by Firekeepers Casino of a possible POS data breach.
Mark Bower, global director of product management, HP Security Voltage (www.voltage.com):
“The point of sale (POS) system is the simplest attack point in the retail flow, yet easily mitigated with modern end-to-end data security as used by large and small retailers today without customer impact.
Any merchant not considering the repeated warnings and advice – from payment processors, card brands and processing networks who have been illustrating the risks and encouraging their merchants to upgrade their POS security – will be victims of malware.
Given the high value customers casinos serve, stolen credit and debit cards from this sector are prized by attackers. High spend limits and top tier cards with a proven rapid ‘stolen data-to-cash’ cycle make casinos a prime target for attacks to vulnerable POS systems throughout the casino network.”
Philip Lieberman, CEO, Lieberman Software (www.liebsoft.com):
“Their breach of point of sale systems with no knowledge of scope or the event itself is typical of companies that have only concentrated on auditor satisfaction rather than operational cyber defense capabilities. Each breach follows a typical pattern of hiring a forensic company and getting a report that the attack was beyond any reasonable care that the casino or other company could have provided.
The truth is that there are rarely any investments in security, or process around cyber defense; as well as little concern about the defense of their customers. The fault here could be laid at the door of the CEO and board of directors that failed to provide leadership and direction to protect the company and its customers.”
Ken Westin, senior security analyst, Tripwire (www.tripwire.com):
“There was recently an advisory from the FBI indicating that a number of casinos and hotels have been hit, so I would expect to hear about more casinos being hit. Usually criminal syndicates don¹t attack just a single organization, but an entire segment or industry, as they are able to identify common vulnerabilities across them. The casinos themselves should identify any common denominator be it a payment or service provider, specific applications, or trusted business partners that might be the source of a key vulnerability. It can also simply be the case of the criminal syndicates going where the money is.”