Cyber Incident Victim: Peppermill Resort Spa Casino

Between October 12, 2014, and February 16, 2015, unauthorized actors compromised payment card data from transactions processed at the front desk of Peppermill Resort Spa Casino in Reno, Nevada. The breach involved criminal hackers illegally acquiring cardholder names, credit or debit card numbers, expiration dates, and security codes (CVV/CVC) through an attack targeting the resort's payment systems. Peppermill management discovered the security incident in late April 2015 but delayed public notification until October 2015 at the request of law enforcement agencies conducting an active investigation. The compromise exclusively affected guests who used payment cards at the resort's front desk during the four-month intrusion window, though the total number of impacted individuals remained undisclosed. Forensic analysis confirmed the attackers exfiltrated card data during the operational period but did not identify the specific intrusion vector or malware used in the breach.

Peppermill Resort initiated breach notifications on October 5, 2015, through individual letters that described the incident as involving "unauthorized and illegal acquisition" of payment card data by external threat actors. The resort implemented revised security policies and procedural controls designed to prevent recurrence of similar incidents, though specific technical countermeasures were not publicly detailed. Affected customers were advised to monitor their financial statements for fraudulent transactions but did not receive identity protection services or compensation offers through the notification process. The delayed disclosure timeline—approximately five months from discovery to notification—stemmed directly from law enforcement requests to preserve investigative integrity during the active case. No additional compromises were reported following the containment of the front desk payment system breach.