When Holiday Valley CFO Dave Trathan answered a call from M&T Bank on May 15, 2015, regarding a possible security breach, he didn’t think much of it. It didn’t seem unusual; bank representatives occasionally call vendors to verify charges that customers dispute or don’t remember, and the voice on the other end of the line was nonchalant.

But as the bank representative calmly relayed the news of 40 customers reporting fraudulent charges, and all 40 had one point of sale transaction in common—Holiday Valley—Trathan knew this wasn’t routine.

“Initially you think, ‘This can’t be happening to us,’” he says.

Days later, as the resort was beginning its investigation, a similar call came from Visa. Then other banks and credit companies began calling, too. In all, an estimated 6,700 cards that had been used for payment at Holiday Valley, in person or online, had been compromised.

Size Doesn’t Matter

Why would cyber criminals target a small ski hill in western New York State?

“It’s nothing personal,” says Dave Gibson, owner of web design and hosting firm Propeller Media Works, which was brought in to rebuild the Holiday Valley site as part of the costly cleanup. “It’s often random, not a thoughtful decision. A program is hunting to exploit a code, not necessarily target a resort or the industry.”

He likens data breaches such as the one at Holiday Valley to a burglar prowling a dark street, trying each door or window until he finds a way in. The victims are rarely targeted for any particular reason, though ski resorts’ affluent customer base can make for a good payday.

The hackers were also quite adept. Despite having Payment Card Industry (PCI) compliant network security in place, the thieves had accessed Holiday Valley’s network for an unknown amount of time, and left no trace.

Following the initial lockdown and several third-party forensic network audits, the resort has new systems and safeguards in place at the cost of tens of thousands of dollars (luckily covered by insurance—more on that later) and two months of labor resources and interrupted communications.

But the responsibility—and expense—didn’t end there. Laws vary by state, but companies are required to notify all customers of such data breaches, which costs time, money, and can affect a company’s reputation.

A data breach such as the one experienced by Holiday Valley costs U.S. companies an average of $7 million, or $221 per stolen record, according to 2016 data from the Ponemon Institute’s annual Cost of Data Breach Study, which looked at 64 companies across 16 industry sectors.

Holiday Valley is not the only winter resort that has been hacked. At Wild Mountain, Minn., the resort’s site was attacked just before the lucrative 4th of July weekend in 2014. A virus embedded in Wild Mountain’s website began infecting visitors with malware. The site was blacklisted by search engines, warning visitors that the site might be harmful.

The blacklisting—and resulting lockdown and remediation—dealt a major blow not only to communication, but e-commerce sales as well.

“These are very intelligent people somewhere in the world being malicious. There’s no value to it,” says Amy Frischmon, VP at Wild. “There’s no way to put a number on it, but we lost business, and it hurts anytime we lose customers, whether it’s one or 100.

“There should be a special place in hell for all the hackers,” she says.

Four Types Of Attacks

While a data breach can be one of the most damaging and costly versions of a cyber attack, it’s not the only kind, as Wild Mountain learned.

Gibson categorizes cyber attacks into four groups: “mischievous,” “destructive,” “malicious marketing,” and “data breach/thievery.” Mischievous hackers tend to hack websites just because they can, but are more annoying than harmful. Destructive attacks can wipe out websites and servers. Marketing hacks can hijack SEO and content to drive traffic to other sites, completely unnoticed.
Attacks can come in a variety of forms as well, Gibson says.

“Distributed Denial of Service,” or DDS, attacks are a common form of taking down websites. Servers are set up to handle a certain number of “requests.” Every component of a webpage appears on a visitor’s screen in response to a request from the visiting computer. DDS overwhelms servers with requests from hijacked computers, rendering the server and the associated website non-functional. Shared hosting platforms are vulnerable to this because “neighbor” sites on the same server as the one attacked can be affected.

“Brute force” attacks use software that attempts millions of login and password combinations per minute. This is why strong and unique logins are important.

“Exploit” attacks look for weaknesses in the code of sites and content management systems (CMS) such as WordPress, Drupal, and Joomla. These are the reason for security “patches” and why you shouldn’t ignore updates, says Gibson.

“Spear Phishing” is a more strategic and malicious attack, in which hackers try to get “keys” to access data on networks or servers by presenting themselves as trusted sources, such as an employee, partner, or related company. Gibson warns to be wary of emails or other requests for forgotten credentials.

Preventative Measures

So, how can resorts protect themselves?

Sam Rufo, owner of nxtConcepts, has developed a niche of fixing hacked and broken sites. She helped get Wild Mountain back online (and picked up the pieces when SAM’s site was crippled by a cyber attack earlier this year).

While damage control has become her specialty, she says a defensive strategy will minimize the cost of an attack.

“A lot of the ski areas think they’re somewhat insulated,” says Rufo. “But they’re usually not. We’re always recommending that you keep website support and security patches updated. Most people do after they’ve had an issue. It’s way more expensive if you have to fix it after something happens than if you safeguard against it from the beginning. Routine oil changes are cheaper than a new engine.”

Rufo urges resorts to adopt some basic Web security precautions.
• Always have off-site backups on a separate server.
• Keep your sites, CMS, security updates, patches, and software current.
• Have safeguards, firewalls, etc., in place. Point of sale (POS) networks should be isolated, and only able to point to credit card processing networks.
• Have a digital disaster plan in place if your preventative measures fail.

What To Have At The Ready

There are several steps to take to secure your website:
• Know how to contact your hosting company. Know and have access to your Web developer/site manager at all times.
• Know where the recent (within 24-hour) backups are located.
• Integrate a PR crisis strategy for communication following an attack, including necessary notifications in the event of a data breach and a plan to minimize disruption of consumer channels.
• Keep a current recovery plan. How can the site be fixed? Who’s in charge of it? How long is it going to take? Where’s the money coming from?

Insuring Against The Unthinkable

While cyber liability and digital risk policies are readily available to ski resorts and other companies, less than 20 percent opt for the coverage, says Timothy Barnhorst, assistant VP of MountainGuard. While cyber liability is a relatively new threat—an “emerging exposure,” as Barnhorst calls it—he cautions that it’s a very real one.

“As a whole, our industry is severely underinsured when it comes to cyber liability. Ski resorts still don’t see the risk or have the IT resources to protect themselves,” says Barnhorst. “It’s not a matter of if, it’s a matter of when.”

The scope of cyber policies varies, he notes. Policies can be written to cover everything from personal info data breaches and the ensuing cleanup and notification including credit repair and monitoring for affected consumers, to loss of data, PCI compliance fines, and penalties—even “cyber extortion” ransom.

And the application process serves as an excellent review of existing safeguards and processes, providing an opportunity to identify and rectify existing risks before it’s too late. Those invisible risks should be taken just as seriously as injuries on the hill, he says.

Recognizing The Risk

The extra cost of coverage may be an issue for some, but the bigger risk is complacency. The industry has been slow to recognize that cyber attacks are a very real and imminent threat. Small to medium businesses—a category which includes most North American ski resorts—saw a 300 percent increase in cyber attacks over the last year. More than 40 percent of those attacks targeted small businesses, according to Symantec’s 2016 Internet Security Threat Report.

Taking that threat seriously and being prepared means beefing up internal IT resources, enlisting the services of companies that can enhance your cyber security, and investing in cyber liability insurance.

“Don’t just think it’s not going to happen to you,” admonishes Frischmon. “Make sure you do what you need to protect yourself. If it hasn’t happened to you yet, it probably will. Just because you’re a little mom and pop ski resort doesn’t mean you’re flying under the radar.”