Jonathan Greig reports on a data breach:
Nevada Restaurant Services (NRS), the owner of popular slot machine parlor chain Dotty’s, has disclosed a data breach that exposed a significant amount of personal and financial information.
In a statement, the company confirmed that “certain customers” were affected by the breach and explained that the information includes Social Security numbers, driver’s license numbers or state ID numbers, passport numbers, financial account and routing numbers, health insurance information, treatment information, biometric data, medical records, taxpayer identification numbers and credit card numbers and expiration dates.
I don’t normally link to data breaches too often because if I did, this site would be renamed to Curated Data Breaches given how frequently they occur. But what I want to know is, why in the world does a slot machine company have passport numbers, health insurance information, and medical records? What are they doing with that information? Slot machines are pretty simple: put quarter in, watch the screen light up and speakers make a bunch of happy noises, repeat until you run out of quarters. Unless there’s some sort of business arrangement where they put slot machines in the Nevada hospitals…
Also, the fact that credit card numbers and expiration dates were lost makes me wonder if they were actually PCI compliant.
Well, a slot machine company probably gathers identifying information when they need to payout to winners, especially high number winners. Not sure about health insurance information though, unless the data breach was information on their own employees, and they’re just not disclosing whether it was employee information or customer information that was breached.