ShareThis Page

Hackers could have eyed about 40,000 credit card numbers of visitors to Nemacolin Woodlands Resort

| Thursday, Oct. 4, 2012, 12:02 a.m.

Hackers could have eyed about 40,000 credit card numbers of visitors to Nemacolin Woodlands Resort, and cybersecurity experts said tracking the criminals could be tough.

Between May and July, hackers grabbed credit card information from the luxe Fayette County resort's retail system and used some cards to make fraudulent purchases, officials said this week.

“Any high-tech crime like this is more difficult especially in the cyber world because the criminal doesn't have to be here in Western Pennsylvania. They could be anywhere in the world,” said FBI Supervisory Special Agent Keith Mularski, who oversees the FBI's “cyber intrusion squad” in Pittsburgh.

Speaking in general about cyber crime, Mularski said the FBI, Secret Service and state police employ agents trained to investigate such crimes. They can analyze the point of compromise and see where connections are being made — even overseas.

It's difficult, he said, but the bureau is successful in leveraging its international relationships.

“A dedicated person can make things very, very difficult for law enforcement,” said Adam Lee, a Pitt assistant professor of computer science who researches security and privacy. “(It) depends on how smart or pre-emptive the person is.”

Hackers targeted “point-of-sale” terminals, where customers swiped their cards at the resort's restaurants and shops, resort spokesman Jeff Nobers said. People who assigned charges to their room were not affected, according to the resort.

State police said anybody who ran a card through the resort's accounting system may be affected.

There are a number of possible ways hackers could have committed the crimes, experts said.

With so much information online, Lee said, it's “inevitable that there's going to be bugs.”

And if hackers spot some software hiccup, they can direct a computer system to pull whatever information they want. Hackers can also take an indirect approach, accessing an organization's system in general, he said.

Point-of-sale terminals are mini computers that run an operating system just like any other computer, Mularski said.

Criminals can install malware, a computer code that recognizes when a card is swiped and then pulls that data to a server anywhere in the world for storage.

Hackers could also search for any computer on the Internet, scanning for services that run on a particular Internet Protocol address, Mularski said.

Hackers did not gain personal information from Nemacolin such as names, only credit card numbers and their expiration dates and security codes.

But even numbers are enough to do damage, experts said.

“When the bad guys swipe that on a point-of-sale terminal and they capture that data, all they need to do is be able to code that back onto counterfeit cards,” Mularski said.

Plus, Lee said, some places allow purchases with just a credit card number.

The numbers may not necessarily be in the hands of the hacker who stole them. Hackers can sell credit card numbers online, Lee said.

“You can do a lot of things with a credit card number,” Lee said. “In addition to just buying things, you can also sell it to other people who want to buy things.”

One victim's credit card was maxed out within a night, police spokeswoman Stefani Plume said.

A state police investigator estimated that 40,000 credit card numbers could have fallen prey to hackers' eyes, but the perpetrators “obviously ... didn't use them all,” Plume said. About a dozen people reported credit card issues to state police, Plume said.

Police can't say for certain where the hackers are from, Plume said.

“Several of the charges in regard to the people that were involved were from different states,” she said. “It appeared as though where the charges were made were coming from inside the U.S.”

The resort hired a private company that confirmed the hacking, and that company secured the system and continues to monitor it. The resort is not aware of any breaches since July.

Any resort guest who sees anything fishy on their credit card statements should contact their credit card company and the resort, and claims will be turned over to police, Nobers said.

Rossilynne Skena is a staff writer for Trib Total Media. She can be reached at 724-836-6646 or

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.