Hackers could have eyed about 40,000 credit card numbers of visitors to Nemacolin Woodlands Resort
Hackers could have eyed about 40,000 credit card numbers of visitors to Nemacolin Woodlands Resort, and cybersecurity experts said tracking the criminals could be tough.
Between May and July, hackers grabbed credit card information from the luxe Fayette County resort's retail system and used some cards to make fraudulent purchases, officials said this week.
“Any high-tech crime like this is more difficult especially in the cyber world because the criminal doesn't have to be here in Western Pennsylvania. They could be anywhere in the world,” said FBI Supervisory Special Agent Keith Mularski, who oversees the FBI's “cyber intrusion squad” in Pittsburgh.
Speaking in general about cyber crime, Mularski said the FBI, Secret Service and state police employ agents trained to investigate such crimes. They can analyze the point of compromise and see where connections are being made — even overseas.
It's difficult, he said, but the bureau is successful in leveraging its international relationships.
“A dedicated person can make things very, very difficult for law enforcement,” said Adam Lee, a Pitt assistant professor of computer science who researches security and privacy. “(It) depends on how smart or pre-emptive the person is.”
Hackers targeted “point-of-sale” terminals, where customers swiped their cards at the resort's restaurants and shops, resort spokesman Jeff Nobers said. People who assigned charges to their room were not affected, according to the resort.
State police said anybody who ran a card through the resort's accounting system may be affected.
There are a number of possible ways hackers could have committed the crimes, experts said.
With so much information online, Lee said, it's “inevitable that there's going to be bugs.”
And if hackers spot some software hiccup, they can direct a computer system to pull whatever information they want. Hackers can also take an indirect approach, accessing an organization's system in general, he said.
Point-of-sale terminals are mini computers that run an operating system just like any other computer, Mularski said.
Criminals can install malware, a computer code that recognizes when a card is swiped and then pulls that data to a server anywhere in the world for storage.
Hackers could also search for any computer on the Internet, scanning for services that run on a particular Internet Protocol address, Mularski said.
Hackers did not gain personal information from Nemacolin such as names, only credit card numbers and their expiration dates and security codes.
But even numbers are enough to do damage, experts said.
“When the bad guys swipe that on a point-of-sale terminal and they capture that data, all they need to do is be able to code that back onto counterfeit cards,” Mularski said.
Plus, Lee said, some places allow purchases with just a credit card number.
The numbers may not necessarily be in the hands of the hacker who stole them. Hackers can sell credit card numbers online, Lee said.
“You can do a lot of things with a credit card number,” Lee said. “In addition to just buying things, you can also sell it to other people who want to buy things.”
One victim's credit card was maxed out within a night, police spokeswoman Stefani Plume said.
A state police investigator estimated that 40,000 credit card numbers could have fallen prey to hackers' eyes, but the perpetrators “obviously ... didn't use them all,” Plume said. About a dozen people reported credit card issues to state police, Plume said.
Police can't say for certain where the hackers are from, Plume said.
“Several of the charges in regard to the people that were involved were from different states,” she said. “It appeared as though where the charges were made were coming from inside the U.S.”
The resort hired a private company that confirmed the hacking, and that company secured the system and continues to monitor it. The resort is not aware of any breaches since July.
Any resort guest who sees anything fishy on their credit card statements should contact their credit card company and the resort, and claims will be turned over to police, Nobers said.
Rossilynne Skena is a staff writer for Trib Total Media. She can be reached at 724-836-6646 or firstname.lastname@example.org.