Card Thieves Breach Hersheypark with Malware

Hershey Entertainment and Resorts' payment systems were infiltrated earlier this year, potentially exposing cardholder data, the entertainment and resort company disclosed July 10.

An investigation found that any card used in person at a Hershey Entertainment & Resorts property from Feb. 14, 2015 to June 2 is potentially at risk, though a significant number of cards used after May 9 were probably not affected, Hershey said in a press release.

Based on an investigation, Hershey concluded that an unauthorized person installed a program that makes a copy of payment card data as it routes through Hershey's system to its payment processor.

The unauthorized program searched for cardholder names, numbers, expiration dates and verification codes on the card's magnetic stripe, an attack similar to scraping.  The migration to EMV-chip cards is expected to largely mitigate plastic cards' vulnerability to this type of theft.

On May 30, Hershey's antivirus program identified and removed a suspicious file from devices in its payment acceptance system.

On June 9, Hershey began receiving calls from consumers who reported unauthorized charges after they used their cards at Hershey Entertainment and Resort properties, which include an amusement park, zoo and other attractions near Hershey, Pa.  Hershey then hired a computer company to examine its payment card system.

Hershey is working with the computer company to further review and improve security measures. Retailers and merchants have become particularly sensitive to vulnerabilities in their payment systems given a number of prominent data breaches that have occurred over the past couple of years, most notably at the one affecting Target Corp.  

It also caps a difficult week for large enterprise technology, given the recent "glitchfest" at the New York Stock Exchange, The Wall Street Journal and United Airlines, though these problems were not found to be linked to criminal activity.