Web hacker gains credit card data at Okemo

April 1, 2008

By Bruce Edwards, Rutland Herald


Okemo Mountain Resort is the latest target of an Internet thief who gained access to customer credit card information.

The Ludlow ski area announced Monday that its computer network was breached in February by an intruder who gained "potential access to credit card data including cardholder names, account numbers and expiration dates," Okemo said in a statement.

Okemo spokeswoman Bonnie MacPherson said Monday the company has not heard of any customers subjected to fraud as a result of the breach.

"We are not aware of any and that's part of why this announcement is being made, to make people aware so they'll take precautions since we just completed this forensic investigation and review," MacPherson said. "We now feel we are fully informed so we could go public with this."

The data breach occurred during a 16-day period between Feb. 7 and Feb. 22, involving 28,168 card transactions. Okemo noted that the actual number of credit card holders is likely smaller because of multiple transactions.

MacPherson said the company learned of the data breach at the end of February. She declined to say how the resort became aware that its computer system had been compromised.

She said the data breach could also potentially affect debit card holders if they used their card as a credit card. The incident affects customers in any number of states and foreign countries who used their credit cards at Okemo during the above time periods, MacPherson said.

Okemo officials said they hired a data security and forensics expert who also determined that credit cards used between January and March 2006 were compromised as well. The latter involved as many as 18,401 individual credit cards. MacPherson said many of those cards had expired.

She also said the data break-in was isolated to Okemo and did not involve customer credit cards used at its two other resorts, Mount Sunapee in New Hampshire or Crested Butte in Colorado.

MacPherson said the resort notified the Vermont Attorney General's Office, VISA, MasterCard and American Express of the data breach. She said federal law enforcement and regulatory agencies are also involved.

"As a result of this, we've increased the firewall capability and added some software and taken some additional precautions," she said.

It's the second high-profile data breach in New England involving credit or debit card numbers. Maine-based Hannaford supermarkets announced last month that 4.2 million credit and debit card numbers were compromised. There have been at least 1,800 reported cases of fraud associated with that data theft.

Vermont Assistant Attorney General Julie Brill said Okemo officials notified her office of the data breach on Monday.

While Vermont law requires that a business or state agency notify consumers within 10 days of the discovery of a breach where personal information is compromised, the law also said notification be made "in the most expedient time possible and without unreasonable delay," that is consistent with law enforcement needs.

Brill repeated that consumers should check their credit card statements for suspicious charges and notify their credit card company immediately. She also said consumers are well protected from fraudulent charges.

"Typically speaking, the charges are taken off their card. The consumer is not responsible for them," said Brill, who works in the Consumer Protection Division. "Also, banks and the payment card system, like VISA and MasterCard, usually monitor this situation pretty closely."

Okemo said it does not have adequate information to contact cardholders directly. However, the resort said banks, which issued the credit cards, will be provided information necessary to notify affected cardholders.

The resort said it will provide updates on its Web site at www.okemo.com.

For more information or assistance, cardholders can call (866) 756-5366 or write Okemo Mountain Resort, 77 Okemo Ridge Road, Ludlow, VT 05149.

main page ATTRITION feedback