Introduction: Are Casinos Really Secure?
When you think of casinos, you probably envision high-stakes games, luxurious settings, and tight security. But have you ever wondered how secure these establishments are in the digital realm? The answer might surprise you. Over the years, casinos have increasingly become targets for cybercriminals.
Lets delve into this comprehensive timeline of significant cyberattacks on casinos.
2014: Las Vegas Sands – The $40 Million Catastrophe
In February 2014, Las Vegas Sands, owned by billionaire Sheldon Adelson, fell victim to a cyber onslaught that shook the casino industry. At the time, Las Vegas Sands was one of the largest and most lucrative casino operations globally. Thus, it presented an attractive target for cybercriminals.
The attack was politically motivated1. Sheldon Adelson, the CEO, had openly made comments against Iran, specifically advocating for a nuclear strike. This comment didn’t sit well with Iranian hackers, who then decided to retaliate.
The attackers initiated a Distributed Denial of Service (DDoS) attack, essentially flooding the company’s network with overwhelming traffic, making it impossible to function normally. But they didn’t stop there. They also inserted malware that wiped servers and leaked sensitive employee information.
The cyberattack caused approximately $40 million in damages, including both technical repairs and data loss. This event was a wake-up call for the casino industry, which started to reconsider its cybersecurity protocols. Moreover, it showed that casinos could be targets of politically motivated cyberattacks, not just financially motivated ones.
The Las Vegas Sands incident was a bellwether for the industry, highlighting the extent to which a lack of robust cybersecurity could cost a company.
2016: Affinity Gaming – Credit Card Breach
Affinity Gaming, a casino operator primarily active in Nevada, was not as large as Las Vegas Sands but was reputable nonetheless. In 2016, it became the target of a cyberattack that significantly impacted its business2.
The Entry Point
The attackers focused on the Point of Sale (POS) systems, which are designed to handle customer transactions. These systems are often considered secure but are not impervious to breaches.
The criminals used a POS malware, essentially a software designed to infiltrate transaction systems and skim credit card information. The malware was sophisticated, capable of evading detection for a considerable period.
While the exact number of compromised credit cards was never disclosed, the damage was extensive enough to hurt Affinity Gaming’s reputation. Customers became wary of using their cards at the establishment, and the company faced increased scrutiny from regulatory bodies.
Affinity Gaming had to overhaul its entire POS system, implement new security measures, and work on rebuilding customer trust. The costs were not just immediate but also long-term, affecting the company’s stock prices and customer loyalty.
2017: River Casino – Held for Ransom
River Casino, not as globally recognized as the previous examples, still had a substantial digital footprint. In 2017, it fell victim to a different kind of cybercrime: ransomware.
The Ransom Note
The attackers encrypted the casino’s essential files3 and demanded a ransom of $1 million in Bitcoin for the decryption key.
River Casino faced a difficult choice: pay the ransom and potentially encourage future attacks or refuse to pay and risk losing vital data.
In a desperate attempt to restore operations, the casino opted to pay the ransom. The attackers decrypted the files, but the incident left a lasting scar on the casino’s reputation and finances.
2018: Casino Rama – Data Leakage Nightmare
The attackers exploited a vulnerability in the casino’s security system, gaining access to the personal information of patrons and employees, including Social Security numbers and bank details.
The breach led to multiple lawsuits from affected individuals and a significant loss of trust among patrons. There was also a regulatory backlash, with authorities questioning the adequacy of Casino Rama’s cybersecurity measures.
2020: MGM Resorts – The Big Bet That Failed
MGM Resorts is a household name in the casino industry, making the scale of its 2020 data breach all the more shocking.
The breach exposed the personal data of 10.6 million guests5, including celebrities, CEOs, and tech moguls. The data was eventually found for sale on a dark web marketplace.
MGM Resorts took immediate steps to notify affected guests and bolster its cybersecurity measures. However, the damage was done, and the company faced several lawsuits as a result.
2021: Federal Group Casinos in Tasmania – The Underestimated Vulnerability
In 2021, a cyberattack affected two Federal Group casinos in Tasmania, bringing attention to the vulnerabilities of even smaller-scale casino operations. The attack began on April 3, 20216, and the consequences were immediate and severe, affecting both pokies machines and hotel booking systems.
The attack was a ransomware assault, a type of malware that encrypts files and demands payment for their release. What made this attack alarming was the impact it had on the casinos’ primary sources of revenue—pokies machines. These machines were down for a total of ten days, a considerable period given the popularity of such games.
ABC News reported that over the last eight months leading up to the attack, the average monthly expenditure on pokies in the Federal Group’s casinos was a staggering AU$6.7 million, totaling AU$53.7 million over the period. The ten-day shutdown thus likely inflicted substantial financial damage.
2022: Crystal Bay Casino – A Wake-up Call on Data Security
In November 2022, Crystal Bay Casino reported unusual activities within its network systems. Initial investigations indicated that certain files might have been illicitly copied around November 27, 2022. Further reviews, concluded on January 25, 2023, revealed that some database information might also have been compromised7.
2023: MGM Resorts and Caesars Entertainment – The Wide Reach of ALPHV and Scattered Spider
The Incident Unfolds
In a series of coordinated attacks, hacking groups ALPHV and Scattered Spider breached not only casino giants MGM Resorts and Caesars Entertainment but also targeted companies in manufacturing, retail, and technology sectors. The news broke in September 2023, putting the spotlight back on the rampant ransomware attacks affecting various industries.
Inside the Attack
David Bradbury, the Chief Security Officer at Okta, a company that provides identity management services, confirmed8 that five of their clients, including MGM and Caesars, had been compromised. Okta, which has over 17,000 customers globally, noticed multiple breaches among its client base and promptly issued an alert. The hackers used sophisticated tactics like impersonating employees of the victim companies to gain duplicate access through IT helpdesks.
The attacks had immediate repercussions on MGM9 and Caesars, causing a drop in their stock prices. MGM, in particular, faced disruptions in its operations spanning from Las Vegas to Macau.
Both companies remained tight-lipped, with MGM acknowledging a “cybersecurity issue” and Caesars confirming an ongoing investigation.
The financially motivated hacking group ALPHV took credit for the MGM breach and even warned of further attacks if a deal wasn’t struck. The exact ransom demand remains undisclosed. Scattered Spider, recognized by Google’s Mandiant Intelligence as one of the most disruptive hacking outfits in the United States, appears to have collaborated with ALPHV in these attacks. The incident itself is expected to cost MGM around 100 million USD.
Top Casino Cybersecurity Issues
The Internet of Things (IoT) has made its way into casinos in the form of connected thermostats, smart fridges, and even fish tanks. However, robust security for these devices is often lacking, creating unnoticed security loopholes.
Ransomware attacks are a growing concern, especially given the volume and variety of data that casinos handle. A successful attack could result in a shutdown lasting days or weeks, forcing casinos to choose between paying a ransom or facing market repercussions.
Hackers are not just interested in immediate gains. They also stealthily collect and sell data, setting the stage for future identity thefts and credit card frauds.
A breach can trigger a cascade of compliance issues. From Payment Card Industry Data Security Standard (PCI DSS) audits to violations of privacy laws like the California Consumer Protection Act (CCPA), the repercussions can be both legally and financially draining.
- https://www.theverge.com/2014/12/11/7376249/iran-hacked-sands-hotel-in-february-cyberwar-adelson-israel ↩︎
- https://arstechnica.com/information-technology/2016/01/security-firm-sued-for-filing-woefully-inadequate-forensics-report/ ↩︎
- https://www.cbc.ca/news/science/canada-mines-casinos-hacked-ransom-extortion-fireeye-fin10-1.4162940 ↩︎
- https://www.charneylawyers.com/casino-rama-class-action ↩︎
- https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/ ↩︎
- https://www.abc.net.au/news/2021-04-13/ransomware-attack-hits-federal-group-casino-operator/100064038 ↩︎
- https://www.crystalbaycasino.com/notice-of-data-breach/ ↩︎
- https://www.reuters.com/technology/hackers-who-breached-casino-giants-mgm-caesars-also-hit-3-other-firms-okta-says-2023-09-19/ ↩︎
- https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware ↩︎