Bringing Down the House: Cyber Actors Breach Vegas Casinos
Caesars Entertainment disclosed a cyber incident to the U.S. Securities and Exchange Commission (SEC) that may have compromised customer information but did not affect its physical properties.
Caesars identified the suspicious activity on 7 September—approximately one week ago—which was the result of a social engineering attack on one of its outsourced IT vendors.
“After detecting the suspicious activity, we quickly activated our incident response protocols and implemented a series of containment and remediation measures to reinforce the security of our information technology network,” the company said in its SEC form 8-k filing.
The unauthorized actors acquired copies of Caesars’ loyalty program database, which includes driver’s license numbers or Social Security numbers.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company said in its filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”
Security Management’s request for a comment clarifying that statement in the SEC filing was not returned before press time. Bloomberg News, however, reported that Caesars took the step of paying millions of dollars in ransom to the unauthorized actor to prevent the company’s data from being released.
The filing from Caesars was released in the same week that MGM Resorts and Casinos confirmed that it is working to address a cybersecurity incident. MGM filed an 8-k form with the SEC on 12 September, confirming it had released a press statement on a cybersecurity incident involving the company.
The press release itself said MGM had detected a cybersecurity issue affecting some of its systems, which prompted it to begin an investigation with outside cybersecurity experts.
“We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems,” according to the press release. “Our investigation is ongoing, and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
NBC News reported that MGM shut down multiple aspects of its operations to contain the incident, including reservation systems, booking systems, hotel key cards, and casino floors.
In a statement on X, formerly known as Twitter, MGM pushed back on social media rumors that guests were locked out of their hotel rooms.
“Our guests remain able to access their hotel rooms and our front desk staff is ready to assist our guests as needed,” MGM wrote.
— MGM Resorts (@MGMResortsIntl) September 12, 2023
Security Management sent a request for comment on the cybersecurity incident and recovery measures to MGM, which did not immediately respond.
Two separate groups have claimed responsibility for the attacks. Scattered Spiders allegedly told VX-Underground, an online malware research repository, that it was responsible for the MGM hack. The group ALPHV has also claimed responsibility for the MGM hack in a statement on its website, Cyberscoop reported.
“The two groups—Scattered Spider and ALPHV—linked to the attacks on the two casino operators are a set of aggressive online criminal groups with well-documented history of carrying out ransomware attacks,” according to Cyberscoop.
Scattered Spider, also known as UNC3944, is a financially-motivated threat actor that has used phone-based social engineering and SMS phishing campaigns to obtain credentials and gain access to organizations.
“Since 2022 and through early 2023, UNC3944 appeared to focus on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments,” according to analysis from cybersecurity firm Mandiant. “However, in mid-2023, UNC3944 began to shift to deploying ransomware in victim environments, signaling an expansion in the group’s monetization strategies. These changes in their end goals signal that industries targeted by UNC3944 will continue to expand; Mandiant has already directly observed their targeting broaden beyond telecommunications and business process outsourcer (BPO) companies to a wide range of industries, including hospitality, retail, media, ... entertainment, and financial services.”
The disclosures of the cyber incidents come after the SEC approved new rules that, beginning on 18 December 2023, registrants will be required to report material cybersecurity incidents within four days of detection.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chair Gary Gensler in a statement on the rule approval. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Caesars Entertainment operates more than 50 resorts across the globe, including Caesars Palace, Harrah’s, Horseshoe, Eldorado, Silver Legacy, and Circus Circus Reno. MGM Resorts operates 31 hotel and gaming destinations around the world, as well as BetMGM, which provides sports betting and online gaming.