Cyber Incident Victim: Holiday Valley Resort

In June 2015, New York-based Holiday Valley Resort publicly disclosed a payment card breach potentially affecting customers who used credit or debit cards at its point-of-sale (POS) systems between October 17, 2014, and June 2, 2015. The resort's investigation revealed malware had infected multiple POS devices across its operations, including food and beverage outlets, recreation facilities, retail stores, and lodging services. This malware exposure created risk for the unauthorized capture of customers' payment card details, specifically names, card numbers, expiration dates, and three-digit CVV security codes. The resort did not disclose the exact number of impacted individuals but confirmed the compromise window spanned over seven months. Due to technical limitations in matching exposed card account numbers with complete customer contact details, Holiday Valley Resort could not directly notify potentially affected guests via email, mail, or phone.

Upon detecting the malware, Holiday Valley Resort initiated containment by removing the malicious software from its POS systems and declaring it safe for customers to resume card transactions. The organization engaged an unspecified third-party forensic firm to investigate the intrusion's origin and scope while implementing enhanced security measures to prevent recurrence. Notifications were made to law enforcement agencies, payment card processors, and relevant financial institutions, with the expectation that banks would directly alert compromised cardholders. The resort maintained publicly accessible FAQs and breach notification letters on its website to inform customers about the incident. As remediation for potential financial harm, Holiday Valley Resort offered affected guests one year of complimentary credit repair services. The forensic investigation remained ongoing at the time of the June 2015 disclosure, with no additional attacker motives or methodologies specified in available reports.