24
Jun 15

Hershey Park Investigates Card Fraud Pattern

Hershey Park, a popular resort and amusement park in Hershey, Pa. has hired a security firm to investigate reports from multiple financial institutions about a possible credit card breach, KrebsOnSecurity has learned.

hersheyContacted after reports by several financial institutions about a pattern of fraudulent charges on customer cards that trace back to Hershey properties, the company says it is investigating.

“We have received reports from some of our guests that fraud charges appeared on their payment cards after they visited our property,” said Kathleen McGraw, director of communications for Hershey Entertainment and Resorts Company.

“We take reports like this very seriously,” McGraw continued. “While our company does have security measures in place designed to prevent unauthorized access to our network, we immediately began to investigate our system for signs of an issue and engaged an external computer security firm to assist us. The investigation is ongoing.”

Sources at three financial institutions say they have detected a pattern of fraudulent activity on customer cards that were used at Hershey properties in Pennsylvania between mid-March and late May 2015. According to the banks, the cards were used at a variety of Hershey locations, including food and beverage outlets, ticketing stations and the Hershey Lodge.

36 comments

  1. Sweet Marley's Daytona Beach Fla

    Hersey Park, that’s right off the Hersey highway

  2. I wish when they say things like “pattern of fraudulent charges on customer cards that trace back to Hershey properties” they could be more specific like what kind of fraud (dollar amount, city, merchant types anything…). Wishful thinking of course!

    • Rebecca, maybe they need to do the investigation before they come out with that information. If they’re wrong, then people would rip them for being wrong. I’m sure they’ll have more information when they’re done the investigation.

      • Also they will prefer not to give details on (smaller) breaches, as it punishes retailers. After the target hack many, really many people, did not shop at Target for a significant time. Silly as the danger was already over, but now imagine a small shop owner losing customers. They can go bust.

        And breaches may not be his/her fault, but the card processor. The result is a smaller company gets an incentive to hide breaches or play dumb and pretend they didn’t notice. You don’t want that.

        As such, we the customer often never ghet the details on purpose. And if you think about it, that is actually a good thing. We have 100% fraude protection anyway.

        Just don’t use cash (ATM skim fraud) or debit cards, and you are good as long as your family does not rely on one huge limit card, but has two, three or four smaller cards instead.

        • Use cash, and if you’re concerned about ATM skimmers, withdraw money from a teller.

          • Credit cards give rewards, build credit plus save one time and gas to not have to go to the bank. Really credit cards are the safest way to pay *and* more convenient. Using cash is not more safe.

            • Yeah but you know who pays for those ‘rewards’, right? You and me through increased purchase costs passed on to us by merchants who pay increasing per-transaction fees. We’re all making everything more expensive not only for credit card users but for those who don’t as well!

  3. I got this message in red across the top of your email announcing this possible breach:

    “Be careful with this message. It contains content that’s typically used to steal personal information.”

    Never happened before with your emails.

    • Mick Weinstein

      I did too, Brian, it’s a phishing warning from Gmail.

    • I did too. All kinds of warnings on gmail. Haven’t seen anything like that before.

    • Flagged as possible phishing on my Gmail account as well.

    • Terry Clayton

      I got the same warning from Gmail (specifically, “Be careful with this message. It contains content that’s typically used to steal personal information.”).

      This simply doesn’t make any sense to me … if there is anyone that I would trust an email from it would be you.

      I checked and the same warning is showing on Gmail on Android and iPhone as well as GMail via the web.

      Brian, being on email list and following your blog has saved me several times by having me “ahead of the curve” and allowing me to react to breaches, etc. before they are even mentioned (if ever) in the general media.

      Is there any way we can help “educate” Google regarding their mistake? (I did click on “Ignore, I trust this message”)

      Thanks for all your hard work.

      • I wonder if gmail is doing something new now and flagging the word “spam” lol “My new book, “Spam Nation,” came out on Nov. 18.”

  4. Just a note, the Brian Krebs Bot message to me about this article in Gmail got flagged “Be careful with this message.It contains content that’s typically used to steal personal information.” Nothing weird about the email that I can tell though.

    • I have to agree the mail looks OK, but Brian has taught me to be paranoid about clicking links. I don’t see any address info for the links to report or ignore, only for the one that says Learn more.

      Thanks to all who reported getting this banner, too.

  5. Michael Martin

    I received a message stating “Extra line breaks in the message were removed”. Hopefully that helps.

  6. Am baffled by the spokesperson comment “We have received reports from some of our guests that fraud charges appeared on their payment cards after they visited our property.” Really? If their guests told them then they must have already had knowledge of this. Suspect that isn’t truthful and it is the BANKS/ISSUERS of their guests who picked up the pattern.

    • I’m sure that’s true. It would be pretty trivial for the bank to correlate fraud reports with a single common merchant.

      In fact, they must have automated the process long ago. Maybe they just sit on the incidents until it reaches a threshhold.

  7. Interesting report where a company is reporting a possible incursion prior to firm evidence that they were the actual cause. And we all may read some day that they were the root source. We must all remember, however, that it is also very possible that those affected were also customers of perhaps multiple different gasoline stations or convenience store locations near that amusement parks entrance. If those non amusement park locations were all infected with the same information theft equipment then the first normal common indicator would be that the incursion happened at or within the amusement park.

  8. Honestly, this company sounds a lot more proactive and concerned with customers than just about any other company I’ve seen reported on in this column. They are pre-announcing their investigation with enough detail for potential victims to be on the alert. Has this ever happened before in any of Brian’s reports? I don’t think so. Every other company has announced the problem well after the fact, and couched in bland rhetoric with no detail.

  9. Google? Fish warning? I get them when I have gone to a politically incorrect website. Brian, what have you done???

  10. I have had this happen at Hershey locations for several years now. primarily the McDonald and the turkey hill by the park. just 4 days after visiting the park I had an attempted cash advance on a card that was used at the park.

  11. I was a victim of this breach. My card company notified me this past Monday of a transaction from a Tim Horton’s in Vancouver for 80 some dollars. That’s a lot of donuts and coffee! Fortunately, they realized it was fraudulent, suspended my card, and are refunding the amount of the transaction.

  12. It’s a sad day when the world is running low on chocolate and corporations turn to hacking to make up for lost profits.

  13. ” the world is running low on chocolate ” Say it ain’t so!
    All the women in my life would be very unhappy!

  14. Very interesting…

    Don’t know if this was is a coincidence but our company got spammed hard with the standard phishing emails asking to click link to reset outlook passwords from Hersheys.com in early June. also contained malicious attachment. IT Sec blocked sender and embedded link ewhaws.jimdo.com

    I notified their IT Security Department without response…

    Received: from hmailgw1.hersheys.com
    Date: Thu, 4 Jun 2015 01:54:46 +0800
    Subject: Support Notification
    Thread-Topic: Support Notification

    Today Wednesday 3rd June 2015, we are moving all email account to Outlook 2015 Webaccess
    in a course to provide best email account service to you. Please click the link below and fill
    required information for activation:
    Click Here
    Your account will remain inactive if you do not complete this survey.
    Admin Helpdesk.

    • FYI, hersheys.com is owned by the Hershey Food Co (public) and Hershey Entertainment & Resorts Co (private) is a totally disparate entity. So it’s not related.

  15. Overheard in the Hershey IT security office: “OH FUDGE!”

  16. That’s simply because eating too much chocolate acts as a laxative.
    ;-]

  17. Intelligent Video Analytics (Ken)

    Whatever caused these fraudulent transactions has to be investigated and resolved swiftly. We can’t have people fearful about taking vacations. I’ve been to Hershey and feel safe there. Is there nowhere safe anymore?

  18. You have to be careful when and where you use your credit card. I stayed at the Hershey Lodge this past holiday weekend 7/4/15. They were doing a lot of switch and bait. I was suppose to get a package then upon check in I was told that I could not have that package because it was for bigger families. I should have been able to spend $500.00 (hotel, park tickets, food, transportation). Instead I had to spend heavily out of pocket plus they cancelled the free breakfast because I did not have enough people in my party. So I took my child and went to Friendly’s and the staff there was my pleasant. The Lodge also tried to double charge me for Hershey Park tickets.