The owners of Atlantis, Paradise Island resort in the Bahamas – frequented by American tourists – has reported a data breach involving the payment network serving the resort's food and beverage and retail businesses.
The company says credit and debit cards used to make purchases at those locations within the resort between November 1, 2016 and April 3, 2017 may have been compromised. Cards used to pay for room charges were not affected.
The company said it was alerted to a potential security issue by its credit card processor. It then hired third-party forensic experts who examined the payment network and confirmed the presence of malware.
“The Resort has confirmed that malware may have captured data from some credit and debit cards used at food and beverage and retail locations at the Resort,” the company said in a statement. “The Resort has removed the malware at issue to contain this incident and implemented additional procedures in an effort to prevent any further unauthorized access to customers' credit and debit card information.”
Because a different payment network was used to record credit and debit transactions for room reservations, those cards were not compromised. That includes food and beverage purchases that were charged to a guest's room and not paid for at the point of sale.
The forensic investigation is still underway but the company said what is known at the moment is the malware may have collected card numbers, expiration dates, and CVVs. The breach apparently did not involve customers' names or PIN numbers. It is also not known how many cards may have been compromised.
"The Resort takes the security of our customers' information extremely seriously, and we apologize for the inconvenience this incident may have caused our customers," said Howard Karawan, president and managing director of Atlantis, Paradise Island.
What to do
Guests who used a credit or debit card for purchases in bars, restaurants, and gift shops at Atlantis, Paradise Island between November 1, 2016 and April 3, 2017 should contact the card issuer and report it. The bank or credit card company should then issue a new card.
Because the breach may have exposed these consumers to fraud, the company notes they may contact all three credit reporting agencies and place a fraud alert on their file at no charge.