TribLIVE

| News

 
Larger text Larger text Smaller text Smaller text | Order Photo Reprints

Hackers could have eyed about 40,000 credit card numbers of visitors to Nemacolin Woodlands Resort

Email Newsletters

Click here to sign up for one of our email newsletters.

'American Coyotes' Series

Traveling by Jeep, boat and foot, Tribune-Review investigative reporter Carl Prine and photojournalist Justin Merriman covered nearly 2,000 miles over two months along the border with Mexico to report on coyotes — the human traffickers who bring illegal immigrants into the United States. Most are Americans working for money and/or drugs. This series reports how their operations have a major impact on life for residents and the environment along the border — and beyond.

By Rossilynne Skena Culgan
Thursday, Oct. 4, 2012, 12:01 a.m.
 

Hackers could have eyed about 40,000 credit card numbers of visitors to Nemacolin Woodlands Resort, and cybersecurity experts said tracking the criminals could be tough.

Between May and July, hackers grabbed credit card information from the luxe Fayette County resort's retail system and used some cards to make fraudulent purchases, officials said this week.

“Any high-tech crime like this is more difficult especially in the cyber world because the criminal doesn't have to be here in Western Pennsylvania. They could be anywhere in the world,” said FBI Supervisory Special Agent Keith Mularski, who oversees the FBI's “cyber intrusion squad” in Pittsburgh.

Speaking in general about cyber crime, Mularski said the FBI, Secret Service and state police employ agents trained to investigate such crimes. They can analyze the point of compromise and see where connections are being made — even overseas.

It's difficult, he said, but the bureau is successful in leveraging its international relationships.

“A dedicated person can make things very, very difficult for law enforcement,” said Adam Lee, a Pitt assistant professor of computer science who researches security and privacy. “(It) depends on how smart or pre-emptive the person is.”

Hackers targeted “point-of-sale” terminals, where customers swiped their cards at the resort's restaurants and shops, resort spokesman Jeff Nobers said. People who assigned charges to their room were not affected, according to the resort.

State police said anybody who ran a card through the resort's accounting system may be affected.

There are a number of possible ways hackers could have committed the crimes, experts said.

With so much information online, Lee said, it's “inevitable that there's going to be bugs.”

And if hackers spot some software hiccup, they can direct a computer system to pull whatever information they want. Hackers can also take an indirect approach, accessing an organization's system in general, he said.

Point-of-sale terminals are mini computers that run an operating system just like any other computer, Mularski said.

Criminals can install malware, a computer code that recognizes when a card is swiped and then pulls that data to a server anywhere in the world for storage.

Hackers could also search for any computer on the Internet, scanning for services that run on a particular Internet Protocol address, Mularski said.

Hackers did not gain personal information from Nemacolin such as names, only credit card numbers and their expiration dates and security codes.

But even numbers are enough to do damage, experts said.

“When the bad guys swipe that on a point-of-sale terminal and they capture that data, all they need to do is be able to code that back onto counterfeit cards,” Mularski said.

Plus, Lee said, some places allow purchases with just a credit card number.

The numbers may not necessarily be in the hands of the hacker who stole them. Hackers can sell credit card numbers online, Lee said.

“You can do a lot of things with a credit card number,” Lee said. “In addition to just buying things, you can also sell it to other people who want to buy things.”

One victim's credit card was maxed out within a night, police spokeswoman Stefani Plume said.

A state police investigator estimated that 40,000 credit card numbers could have fallen prey to hackers' eyes, but the perpetrators “obviously ... didn't use them all,” Plume said. About a dozen people reported credit card issues to state police, Plume said.

Police can't say for certain where the hackers are from, Plume said.

“Several of the charges in regard to the people that were involved were from different states,” she said. “It appeared as though where the charges were made were coming from inside the U.S.”

The resort hired a private company that confirmed the hacking, and that company secured the system and continues to monitor it. The resort is not aware of any breaches since July.

Any resort guest who sees anything fishy on their credit card statements should contact their credit card company and the resort, and claims will be turned over to police, Nobers said.

Rossilynne Skena is a staff writer for Trib Total Media. She can be reached at 724-836-6646 or rskena@tribweb.com.

Subscribe today! Click here for our subscription offers.

 

 


Show commenting policy

Most-Read Fayette

  1. Ceremony, parade mark start of 61st annual Fayette County Fair
  2. Connellsville Lions Club concert series continues through Sept. 6
  3. Fayette man gets house arrest in prescription painkiller scheme
  4. Additional charges filed in Connellsville vandalism case
  5. Woman accused of stabbing man at Fayette housing complex
  6. Musical ‘Seven Brides for Seven Brothers’ to be performed in Connellsville
  7. Fair weather expected for opening of Fayette County Fair
  8. Connellsville’s Porter Theater to present ‘Seven Brides’
  9. Mission group helps Connellsville-area residents
  10. Lower Tyrone man’s appeal on sewage permit denied, but supervisors sympathetic
  11. Connellsville Circles program fights poverty