Cyber Incident Victim: Hard Rock Hotel and Casino Las Vegas

The Hard Rock Hotel and Casino Las Vegas disclosed a cybersecurity incident involving unauthorized access to payment systems at its Las Vegas property. The breach impacted customers who made purchases at certain restaurant and retail outlets between October 27, 2015, and March 21, 2016. The investigation began on May 13, 2016, following reports of fraudulent activity linked to payment cards used at the resort. Forensic analysis confirmed attackers deployed card-scraping malware designed to intercept payment card data as it traversed the resort’s payment processing systems. Compromised information included cardholder names, card numbers, expiration dates, and internal verification codes. This marked the second breach at the Las Vegas property within two years, following a prior incident affecting transactions from September 2014 to April 2015. The hotel engaged a third-party cybersecurity firm to assist with containment and remediation efforts.

Notification letters were issued to affected guests after the investigation confirmed the malware’s presence and scope. The resort emphasized its collaboration with forensic investigators and law enforcement but did not disclose specific containment measures or malware variants. No attacker attribution or data exfiltration methods were detailed in the public statement. The breach exclusively impacted transactions processed at the Las Vegas location, with no evidence of compromise at other Hard Rock properties. Financial repercussions for affected customers included fraudulent charges, though the scale of monetary losses was not quantified. The incident highlighted persistent vulnerabilities in the resort’s payment infrastructure, given its recurrence within a short timeframe.