Caesars Entertainment confirmed Thursday (September 14) that hackers had gained access to its computer systems through an outsourced vendor, stealing a large amount of customer data in a cyberattack.
In a filing with the U.S. Securities and Exchange Commission (SEC), Caesars acknowledged that the driver’s license and Social Security numbers “for a significant number of members” of the Caesars Rewards program were copied by an “unauthorized actor.”
“We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor,” the company said. “We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.”
The issue was the result of a social engineering attack on an outsourced IT support vendor used by the company. Caesars did not identify the third-party operator in its filing.
“Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption,” according to the company’s filing.
Caesars said that other data was stolen in the cyberattack but did not say what. It is unknown how many individuals are affected by the incident.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the SEC filing, implying the company could have paid a ransom as reported.
The Wall Street Journal, citing anonymous sources, reported Caesars paid a $15m ransom to prevent further disruptions. Caesars has not specifically commented on this report.
In its filing, Caesars said the “full scope of the costs and related impacts of this incident” has not been determined.
Caesars is the second Las Vegas-based publicly traded gaming company to be hacked in recent weeks, after MGM Resorts International reported a “cybersecurity issue” affected the company on Sunday, with MGM continuing to recover from the incident as the fifth day ended on Thursday.
The Financial Times reported that some of the stolen MGM data has been encrypted and the group nicknamed “Scattered Spider” is demanding cryptocurrency to release it.
Alex Hammerstone, a cybersecurity analyst and advisory solutions director with TrustedSec in Fairlawn, Ohio, said as the gaming industry has evolved from the days of using all cash in a casino to apps, sports betting and player rewards cards, all that information has introduced more risk for companies.
“We shouldn’t create systems whereby compromising one employee let’s you take down a company of this size,” Hammerstone told Vixio GamblingCompliance in an interview on Thursday.
“We should at least make it a little more difficult. They need to put in place regulations that mitigate the risk from all these connective devices.”
Moody’s Investors Service said the MGM Resorts incident was credit negative for the company because it “highlights the key risks related to business operations’ heavy reliance on technology and operational disruption caused when systems need to go offline or are inoperable.”
However, shares of MGM seemed to dismiss the financial impact of the cyberattack, gaining 11 cents, or 0.27 percent, to close Thursday at $41.58 on the New York Stock Exchange. Caesars, whose shares trade on the Nasdaq, jumped 2.33 percent, or $1.22 a share, to close at $53.57.
“Our sense is that MGM’s impact could potentially be material but moderate near term, while Caesars should see no meaningful impact and the question of whether any business is displaced among operators near term is fair,” said David Katz, an equity analyst with Jefferies.
In a research note Thursday, Katz wrote that he expects that group and transient business at MGM in the near term could be affected by 10 percent to 20 percent for the days that the current conditions exist.
According to estimates, MGM generates $42m and $8m in revenue and EBITDA per day company-wide, respectively.
Initially, MGM shut down its computer systems to minimize any further damage, which led to slot machines being taken offline inside casinos and thousands of guests left without functioning room keys at resorts across the U.S.
Business at MGM casinos and resorts remains operable and credit card use is possible, albeit manual, while more transactions have been cash-based.
As of late Thursday, MGM’s corporate website was still unavailable.
“We continue to work diligently to resolve our cybersecurity issue while addressing individual guests needs promptly,” MGM said in a statement Thursday.
The Nevada Gaming Control Board (NGCB) confirmed that the agency and Governor Joe Lombardo have been in contact with company executives, and “remain in communication with other law enforcement agencies.”
Meanwhile, the American Gaming Association (AGA) stressed that comprehensive cybersecurity protocols are in place based on “best practices and regulatory guidelines” for legal casinos, sportsbooks, and iGaming platforms.
“The regulated gaming industry continually evolves its cyber defense strategies as part of our commitment to safeguarding player data and personal information,” Alex Costello, AGA vice president for government relations, said in an email.