Caesars Entertainment recently gave in to the demand of hackers and paid at least half of a $30 million ransom after a cyberattack late this summer.
People familiar with the matter revealed that hackers used a social engineering method where one person pretended to be an employee and then contacted the company information technology (IT) help desk to request a password change.
In a Securities and Exchange Commission (SEC) filing, Caesars reported that the incident was the result of a social engineering attack on an outsourced IT support vendor. The casino operator did not provide details about the “unauthorized actor” behind the cyberattack.
In the filing, Caesars reported that it immediately activated its “incident response protocols” after suspicious activity was detected. The casino operator also enforced several containment and remediation measures to reinforce the security of the casino’s information technology network.
Caesars discovered that the hacker obtained a copy of data, including driver’s license numbers and social security numbers, for “a significant number” of members of the casino’s loyalty program.
However, Caesars insisted that there is no evidence that sensitive data was accessed. (Related: Over 6M public records from motor vehicles office in Louisiana exposed to MOVEit hackers.)
MGM Resorts, the biggest operator on the Las Vegas Strip, also faced a cybersecurity breach earlier this month. MGM reported that it encountered a “cybersecurity issue” on Sept. 10, and that it was forced to shut down some of its systems. Things like slot machines and sports-betting kiosks were down, along with online reservations, digital keys for hotel rooms and credit card transactions.
Following the attack on its systems, MGM operated its resorts using backup protocols for the rest of the week. At the same time, some properties checked in guests with pen and paper. Slot machine wins were also paid out manually.
Hackers target casinos and hotels for personal and financial data
Hotels and casinos like Caesars and MGM are prime targets for hackers because they have access to personal and financial data collected from all customers.
Caesars said it hasn’t found proof that data accessed in the attack was published or misused. Caesars also offered credit monitoring and identity theft protection to all loyalty program members.
According to Caesars, it may continue to incur expenses as it investigates the attack. The casino did not specify how much it spent following the incident.
Caesars may recoup some costs from its cybersecurity insurance, but the casino said that it doesn’t expect the incident to have a significant impact on its financial health.
Not all companies will choose to pay ransom, but others like Caesars may do so to avoid losing data or business disruptions.
Operators of the Colonial Pipeline, which shut down following a ransomware attack in 2021, paid $4.4 million to hackers. Thankfully, more than half of the ransom was eventually recovered by the Federal Bureau of Investigation (FBI).
Data compiled by Coveware, a firm that helps companies respond to cyber extortion, revealed that the average ransom payment is $740,000.
According to the FBI website, it doesn’t recommend paying a ransom because it could encourage hackers to target more victims.
Caesars and MGM combined operate an estimated 60,000 hotel rooms in Las Vegas and tens of thousands more across the United States. Caesars’ Strip casinos include other establishments, such as Caesars Palace, Paris and Planet Hollywood.
Meanwhile, MGM’s casinos include Aria, Bellagio, Mandalay Bay and MGM Grand. MGM hasn’t released other details about its cybersecurity issue, including whether MGM received a ransom demand.
Gambling industry targeted more in 2023
Some sectors are hit with ransomware and extortion attacks more frequently than others, but hackers are often indiscriminate and will target any organization that they can. Brett Callow, a threat analyst for Emsisoft, a cybersecurity company, explained that organizations with the weakest security posture tend to be the ones that hackers target the most.
The gambling industry has been targeted more often by hackers in 2023. Shane Sims, the chief executive of Kivu Consulting, a firm that also helps companies deal with cyber extortion, said that the firm has had to deal with more cases where the victims were gaming companies, both in the U.S. and in other countries.
At least five percent of Kivu’s cases this summer involved gambling industry victims. Sims added that there were none between January and May.
According to Sims, summer 2023 could be considered “the summer of cyber extortion in the gaming industry.”
Hackers steal sensitive information and threaten to disclose it. In most cases, that’s the driving factor for companies giving ransoms. These transactions often take place using Bitcoin and other digital currencies.
Charles Carmakal, the chief technology officer at Google’s Mandiant cybersecurity unit, warned that one group of hackers has been actively targeting hospitality and entertainment organizations over the past couple of years.
The group, which Mandiant calls UNC 3944, has attacked more than 100 organizations within the last two years. UNC 3944 has also targeted retail technology, telecommunications and videogame companies.
UNC 3944 uses different techniques to hack into companies, including social engineering. Using this method, someone from the group will call company employees and convince them to check malicious websites. In other cases, they will contact a company help desk to gain access to corporate networks.
These attempts often work because hackers are persistent and some are native English speakers. According to Carmakal, UNC 3944’s members seem to be in their teens and early 20s, with some based in the U.S. and some in the United Kingdom.
The SEC recently enforced rules that require companies to report cybersecurity incidents within four days of being deemed crucial to their business. The rules will take effect in December 2023.
However, new rules from the Nevada Gaming Commission will now require casinos to report all cyberattacks within 72 hours and take steps necessary to protect their systems from hackers by performing annual assessments of their cybersecurity.
Casinos must also investigate any incidents and submit a report to the Nevada Gaming Control Board.
Watch the video below to learn more about the MGM cyberattack.
This video is from The Bikini Truther channel on Brighteon.com.
More related stories: