Slot machine chain exposes customer biometrics in data breach
Slot machine parlor chain Dotty’s owner Nevada Restaurant Services (NRS) has disclosed a privacy breach that exposed customers’ biometrics and other personally identifiable information (PII).
NRS did not specify how many individuals had their PII exposed, but the company confirmed the breached data included Social Security numbers, driver’s license numbers or state ID numbers, and passport numbers.
Also, financial account and routing numbers, health insurance information, treatment information, biometric data, medical records, taxpayer-identification numbers, and credit card numbers and their expiration dates were included in the breach.
While payment card and age-related data is likely necessary for the compliant operation of the slot machines, the inclusion of medical records raises questions about the necessity of storing all of the breached data.
According to a ‘Notice of Data Privacy Event’ report posted by NRS on September 3, the breach occurred in January this year.
Following an investigation by NRS, the company determined it had been the victim of a cyber-attack and that an unauthorized actor was “able to copy certain information from the system on or before January 16, 2021.”
Customers potentially affected by the breach have been contacted by NRS via notice letters, with the company setting up a phone number for individuals who did not provide their mailing addresses or receive a notice letter.
NRS also offered free identity protection services to customers protected by the breach, but at the same time clarified that using a credit freeze to take control over who gets access to the personal and financial information in the credit report may interfere with the approval of loans, credit, mortgage, or any other account involving the extension of credit.
Moving forward, NRS confirmed it has “security measures in place to protect its systems and the information in its possession” and “has worked to add further technical safeguards to its environment.”
States such as South Carolina have been updating data protection laws to include more stringent notification requirements and deal specifically with biometric data.