Security Experts:

Casino Operator Affinity Gaming Says Hackers Accessed Payment Card Data

Affinity Gaming Hacked

Affinity Gaming Hacked: Casino Operator Says Hackers Accessed Customer Payment Card Data

Hackers have infiltrated the payment processing system for casinos and resort properties of Affinity Gaming and accessed customer card data, the company confirmed late Friday.

In a statement released just before the weekend, Affinity said that attackers had breached the system that processes payment cards at several of its casinos and casino resort properties.

Affinity said that during a security audit of its IT systems on April 17, 2014, it identified a possible issue in the system that processes debit and credit card transactions.

On April 24, the company first warned of an “unauthorized intrusion” into the system that processes customer payment cards for its casinos, and that it had hired FireEye-owned Mandiant to investigate the breach. 

Affinity's investigation, which the company said was still under way, has since determined that its system was attacked by hackers and that Credit or debit card data was exposed at the following locations for customers making hotel, food and beverage, and retail purchases with their cards between December 7, 2013 and April 28, 2014:

• Silver Sevens Hotel & Casino in Las Vegas, NV

• Rail City Casino in Sparks, NV

• Primm Valley Resort & Casino in Primm, NV

• Buffalo Bill's Resort & Casino in Primm, NV

• Whiskey Pete's Hotel & Casino in Primm, NV

• Lakeside Hotel-Casino in Osceola, IA

• St. Jo Frontier Casino in St. Joseph, MO

• Mark Twain Casino in LaGrange, MO

• Golden Gates Casino inBlack Hawk, CO

• Golden Gulch Casino in Black Hawk, CO

• Mardi Gras Casino in Black Hawk, CO

Affinity is encouraging individuals who visited its facilities and used their credit or debit cards for hotel, food and beverage, or retail transactions between December 7, 2013, and April 28, 2014, to take steps to protect their identities and financial information.

The company did not disclose how many cards may have been compromised as a result of the attack.

In December 2013, the gaming company disclosed that its payment card processing system was infected with malware, which resulted in the compromise of credit card, and debit card, data from individuals who visited several of its gaming facilities.

According to a company spokesperson, investigators are working to determine whether the two incidents are related.

"At this time, it is uncertain," the spokesperson told SecurityWeek.

"Our customers are our top priority and we can assure them we are working tirelessly, using best-in-class experts to protect our IT system and their information," David Ross, Chief Executive Officer at Affinity, said in a statement. "We deeply regret any inconvenience this incident may cause and are ensuring our customers have the information they need to address any concerns."

The gaming company is encouraging its customers to protect themselves against possible identity theft or other financial loss by reviewing account statements for any unusual activity, notifying their credit card companies, and monitoring their credit reports.

*Updated with Affinity Gaming's response to SecurityWeek's inquiry

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.