Cyber Incident Victim: Four Winds Casino Resort
Date:
Oct 2014
Location:
United States of America
Summary
A Michigan casino operator experienced a payment system compromise involving card-stealing malware that harvested payment card details including names, numbers, expiration dates, and verification codes from physical transactions across its three casino properties and affiliated service station. The breach was identified following bank notifications about fraudulent transactions, prompting an investigation with law enforcement and third-party security experts to contain the incident and prevent further infections. While the entity lacks sufficient data to individually identify potentially affected patrons who swiped cards during the exposure window, it established an informational resource and advised vigilance regarding financial statements for unauthorized activity. This incident reflects broader point-of-sale malware targeting patterns observed across the hospitality sector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late October 2015, Four Winds Casino Resort, operating three casinos and a Bent Tree Market service station on tribal lands in Michigan, disclosed a payment system breach involving card-stealing malware. The intrusion was detected after financial institutions alerted the casino to fraudulent transactions linked to its properties. Forensic analysis revealed that malicious software had infiltrated point-of-sale (POS) systems across all four locations: the New Buffalo, Hartford, and Dowagiac casinos, along with the Dowagiac service station. The malware actively harvested payment card details—including cardholder names, account numbers, expiration dates, and verification codes—from cards physically swiped at transactional terminals. The compromise period spanned nearly a full year, from October 2014 through October 21, 2015, exposing an undetermined number of patrons who conducted in-person transactions during this window. Four Winds acknowledged it lacked sufficient data to directly identify or contact affected individuals due to the nature of the POS data collection.
Upon discovery, Four Winds initiated containment measures by engaging law enforcement and retaining a third-party cybersecurity firm to investigate the breach scope, eradicate the malware, and fortify network defenses against further compromise. The organization established a dedicated informational website for potentially impacted customers but did not confirm whether it would provide credit monitoring services. Public advisories urged patrons who visited any affected property during the 12-month exposure period to vigilantly review bank statements and credit reports for unauthorized activity. This incident aligned with a broader pattern of POS malware attacks targeting hospitality and gaming sectors during the mid-2010s, as evidenced by contemporaneous breaches at major hotel chains including Hilton, Mandarin Oriental, and Trump properties. The stolen card data typically entered underground markets where it was monetized through fraudulent purchases. Four Winds’ investigation remained ongoing at the time of disclosure, with no additional technical specifics about the malware variant or attacker attribution disclosed publicly.