|
Okemo Mountain Resort has been a recent target of criminal efforts to gain access to credit card data by infiltration of the computer network at Okemo Mountain ski area in Ludlow, Vermont. An expert in data security and forensics hired by Okemo to assist in the investigation and response to the incident has informed Okemo that its computer system was improperly accessed by an outside party for a 16-day period between February 7, 2008 and February 22, 2008. Affected consumers potentially include those who used their credit cards at Okemo during the 16-day period in February 2008 as well as cardholders who had credit transactions at Okemo two years ago during a three month period between January 2006 and March 2006.
Upon discovery of this intrusion, Okemo promptly initiated security measures to block the infiltration and protect credit card data from any further unauthorized accessed. Concurrently, Okemo contacted the FBI and Secret Service. Okemo’s security breach, on a smaller scale, appears to have some similarities to the Hannaford breach as it involved infiltration of “real time” data. The attack was designed to capture magnetic strip data from credit cards as the cards were swiped through serial devices at point of sale terminals.
The forensic expert determined that there was no evidence of any security breach to the computer systems at Mount Sunapee ski area in Sunapee, New Hampshire, or Crested Butte ski area in Crested Butte, Colorado.
Type of Credit Card Data Potentially Accessed
Okemo’s forensic expert determined that Track 1 and Track 2 credit card data was potentially accessed by the intruder. Track data is the credit card industry’s standard information present on every credit card magnetic strip. Track 1 data typically contains the cardholder’s full name, primary account number (PAN), expiration date, card verification value (CVV) and encrypted PIN. Track 2 data typically contains the same data as Track 1 without the cardholder’s full name.
The forensic investigation produced no evidence that any other type of personal information was improperly accessed. Okemo does not collect Social Security Numbers or other personal information at its point of sale terminals.
Visa, MasterCard and American Express are the only credit cards accepted at Okemo. Okemo’s forensic expert determined that a total of 28,168 credit card transactions were potentially exposed by the attack during the 16-day period. Of those transactions, 20,688 have been identified as Visa/MasterCard transactions and 7,480 as American Express transactions. The number of cardholders involved in those transactions is likely to be smaller because multiple transactions were likely to have been processed on a single credit card.
A second set of credit card data potentially exposed by the attack was credit card transaction data during a three month period from January through March 2006 involving 24,463 individual credit cards. Many of those credit cards are believed to have expired.
Public Notification
Once Okemo’s forensic expert was able to determine the type of data potentially accessed by the infiltration, Okemo commenced the public notification process. On March 31, 2008, a Media Notification was disseminated to more than 150 major print, television and radio media outlets in New England and the eastern United States. Notice was also posted on Okemo’s Internet homepage as a credit card security alert. See: www.Okemo.com. Okemo set up a Toll Free Call-In number to provide additional information and assistance to potentially affected cardholders. The Toll Free Number is 1-866-756-5366. Additionally, Okemo provided notice to the three major credit reporting agencies—Equifax, Experian and TransUnion. Okemo has forwarded notification to a number of state attorneys general and consumer protection divisions.
Protection of Cardholders
Okemo has provided notice to Visa, MasterCard and American Express and continues to work with the credit card companies and their forensic representatives. The credit card companies notify the institutions which issued the credit cards so that those institutions may in turn notify individual cardholders or issue new cards.
Okemo recommends that all cardholders carefully review their credit card statements and credit card reports and remain alert for any unauthorized or suspicious activity. Okemo recommends that cardholders consider obtaining free credit reports that are available through the three major credit reporting agencies, the contact information for which is listed below.
Cardholders who suspect that their accounts may have been improperly accessed should immediately notify their credit card issuer.
Okemo deeply regrets and apologizes for any inconvenience or concerns this criminal attack may have caused Okemo’s valued guests and visitors.
For further information or assistance, cardholders are encouraged to call the Okemo Toll Free Number 1-866-756-5366.
Okemo can also be contacted at Okemo Mountain Resort, 77 Okemo Ridge Road, Ludlow, VT 05149.
Listed below is the contact information for the major credit reporting agencies and the Federal Trade Commission. Individuals may obtain information from these sources about steps they can take to obtain free credit reports and place a fraud alert or security freeze on their credit report and file.
Contact Information for Credit Reporting Agencies and the Federal Trade Commission:
Equifax
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
1-800-685-1111
PO Box 740241
Atlanta, GA 30374-0241
www.equifax.com
Experian
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
1-888-397-3742
PO Box 2104
Allen, TX 75013
www.experian.com
TransUnion
1-800-680-7289
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834
www.transunion.com
Federal Trade Commission
1-877-438-4338
600 Pennsylvania Avenue, NW
Washington, DC 20580
www.ftc.gov
|
