MGM Resorts is currently in the midst of a major cybersecurity issue. They’re not the only national casino operator facing this problem.
Caesars is also dealing with a cyberattack.
Hackers didn’t technically hack the system. The group known as Scattered Spider or UNC 3944 used a social engineering tactic similar to other recent crimes against casinos. In this case, a third-party vendor “opened the door” to Caesars’ computer system by using social engineering.
Caesars revealed the cyberattack in a recent 8-K filing to the Security and Exchange Commission (SEC).
Caesars says that it has taken measures to have the stolen data deleted by the hackers. Of course, they can’t guarantee that hackers will delete the information. There isn’t always honor among thieves, regardless of how much money Caesars may have paid the hackers.
According to Bloomberg via a Yahoo! Finance post, Caesars paid “tens of millions of dollars” to the hackers. CNBC is reporting that the hackers asked for a $30 million ransom. Caesars agreed to pay $15 million. Some of this expense will be covered by its cyber insurance policies.
While not disclosing specific amounts, in the 8-K filing Caesars said the expenses may continue:
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined. “
Caesars has not confirmed the timeline of this attack and hasn’t commented beyond the SEC filing. The Bloomberg report says it could have started as early as Aug. 27.
Hackers copied Caesars Rewards client database
According to the 8-K filing, Caesars found irregular activity by an “unauthorized actor” in its computer system on Sept. 7. The investigation into suspicious activities in its computer system found that its Caesars Rewards loyalty program and other data were copied:
“We determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.”
The company is still looking into how any of the information is being used. At this time Caesars doesn’t see proof that the hackers have passwords, PINs, banking information, or credit card information.
Many people may have been affected by this hack. Last year the company touted that Caesars Rewards had 65 million members.
Caesars is stepping up its client protection services
Caesars is offering credit monitoring and identity theft protection services to all members of Caesars Rewards. The company also set up a line for anyone with legal questions.
To sign up for these services or ask legal questions, Caesars Rewards members can call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday.
This remains an ongoing matter. Caesars recommends visiting https://response.idx.us/caesars/ for up-to-date information.