Hotel and casino company Caesars Entertainment this week confirmed that it was victim to a cyberattack that stemmed from a social engineering attack on a third-party IT support vendor that the company uses.
Attackers were able to access a copy of Caesars’ loyalty program database, which included driver’s license numbers and social security numbers for “a significant number” of program members. Caesars, which determined the unauthorized access on Sept 7, said that it is investigating if any further personal information was included in the files acquired by the unauthorized actor, and said it has “no evidence to date that any member passwords/PINs, bank account, or payment card information (PCI) were acquired by the unauthorized actor.”
While Caesars did not outwardly label the hack as a ransomware attack, a Bloomberg report on Wednesday said that the organization made a ransom payment to the attackers of tens of millions of dollars.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” according to Caesars in a Form 8-K filed for the U.S. Securities and Exchange Commission (SEC) detailing the incident.
Caesars did not disclose the name of the third-party IT support contractor. Cybercriminals in the past have found success in targeting third-party vendors, and then using that compromise to subsequently gain unauthorized access to downstream client data. The 2022 cyberattack on Okta, for instance, stemmed from a breach by the Lapsus$ group of a third-party contractor, managed support service provider Sitel. In an ensuing investigation into the incident, Okta said that it had cut ties with Sitel and was re-evaluating how it works with outside service providers.
Part of the challenge in protecting against these third party risks is that they are happening outside of companies’ purview. Organizations need to carefully vet their contractors and other types of third-party organizations, assess the different risks posed by various third parties, set up monitoring for any changes in that risk and create formal processes for when contracts end to ensure that all related data is permanently deleted.
Caesars is still investigating and has yet to address several details of the attack, including when the incident started, how long that attackers had access to the database for and the number of loyalty program customers impacted. The Bloomberg report said that attackers started targeting Caesars as early as Aug. 27.
The Caesars loyalty program, Caesars Rewards, allows members to earn credits that can be redeemed for gaming, hospitality and entertainment. The program is used for more than 50 destinations and through the Caesars Sportsbook app across the U.S. The company has claimed that the program has 65 million members and that it is the largest program in the gaming industry.
In its Form 8-K, Caesars said it has "incurred certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter."
“The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined," said Caesars.
Public disclosure of the Caesars cyberattack comes as another gaming and hospitality giant, MGM Resorts, continues to face disruption across its hotels and casinos due to a separate cyber incident. As of Thursday, MGM Resorts’ website was still down, and in a brief Thursday update posted on Twitter, the company said that it is working to resolve the “cybersecurity issue.”
These incidents "should serve as a wake-up call for the industry," said Geoff Haydon, CEO at Ontinue. He urged hospitality and gaming organizations "to fortify their defenses and foster a culture of cybersecurity awareness."
"To safeguard against such vulnerabilities, companies must adopt a multi-faceted approach to cybersecurity," said Haydon. "This includes regular security audits, employee training, and the implementation of robust security protocols. Furthermore, businesses should appropriately segment their networks, thus isolating critical systems from potential breaches and ensuring continuity in case of an attack."