Landry’s Defines Payments Breach Scope

In Las Vegas, the house always wins. But in the seedy underbelly of the Internet, there’s nothing casinos can do when lax cybersecurity policies leave backdoors wide open to hackers and about the liability that follows.

Landry’s Inc., owner of the Golden Nugget Hotels and Casinos brand, announced Monday (Feb. 1) that it had calculated at least a partial extent of the data breach that it first brought to the public’s attention in Dec. 2015. While the entertainment and food services conglomerate did not yet release specific details on how many of its customers’ details might have been affected, it was able to provide both the manner and and rough timeline by which hackers pulled off the systemic breach.

Landry’s explained that the initial pieces of evidence point to a breach beginning on May 4, 2014, and continuing until March 15, 2015. However, the company also found indications that the hackers may have returned for more sensitive information between May 5, 2015, and Dec. 3, 2015.

The company also outlined how the hackers targeted POS systems in restaurants, casinos, real estate properties and even spas to lift customers’ payment and personal information. In fact, Landry’s had found such clear evidence of illicit software in its systems that it could trace the information stolen down to cardholder names, numbers, expiration dates and verification codes — the complete package for sale on “unregulated” markets.

Nation’s Restaurant News reported that Landry’s had retained a private cybersecurity company to oversee operations for the time being, and the organization had also liaised with law enforcement officials to track the source of the breach as much as possible. However, particularly affected customers can expect the unhappy surprise of a direct mailer or email from Landry’s directing them to seek further assistance and detailing what damage it could tabulate.

As more than a few Landry’s customers have said in its casinos and its executives are likely saying now: “Craps.”