As if ransomware attacks were not enough of a headache already, class action lawsuits are emerging this year as a new bane plaguing online and land-based casinos.
Security technology to prevent data breaches has improved, but so has the evolving ecosystem of what has become known as Ransomware 2.0.
This upgraded method of cyberattack enables hackers to get what they want merely by infiltrating a company’s database without necessarily disabling the company’s website.
“Now, they hold [data] hostage, and say, ‘Whether you restore [your internet technology operations] or not, we really don’t care,’” said David Feder, a cybercrime attorney with the New York City firm of Fenwick & West. “We’re going to sell [your data] on the black market unless you give us as much money as we want. Usually it’s some form of cryptocurrency,” said Feder, a former U.S. attorney in New Jersey.
Cyberattacks on the casino industry are increasing by 1,000 percent annually and the average cost of a data breach is $4m, according to Feder, who participated in a March 6 panel discussion at the Gambling Boot Camp organized by the University of Seton Hall School of Law in Newark, New Jersey.
Until this year, class action lawsuits against the gaming industry because of data breaches were extremely rare.
But in January, a proposed class action lawsuit in Newark, New Jersey, accused BetMGM of failing to adequately protect personally identifiable information of 1.5m customers during a cyberattack in May 2022.
The class action lawsuit was dropped on February 13 for undisclosed reasons, but Seton Hall University law professor David Opderbeck said he would not be surprised if the lawsuit is eventually resurrected.
“There are at least four others filed in the past couple of months that are still pending,” said Opderbeck, who moderated the cybersecurity panel at the Seton Hall Gambling Boot Camp.
A class action lawsuit is a unique procedural device enabling one or more plaintiffs to file and prosecute a lawsuit on behalf of a larger group or class.
Individual claims usually may not amount to much but when aggregated with multiple claims, “then you’re talking some serious money,” Opderbeck said.
On the other hand, class action lawsuits usually are settled without a trial and less than 5 percent of eligible plaintiffs actually file a claim.
These recent class action lawsuits against casino companies are not confined to the East Coast.
On March 2, Rancho Mesquite Casinos in Nevada became a defendant in a class action lawsuit after the theft of personal information of about 230,000 customers in a cyberattack on November 9, 2022.
“This isn’t just a BetMGM issue; this isn’t just an iGaming industry issue. Cybersecurity is impacting any industry that includes technology,” said Afshien Lashkari, lead engineer of the Technical Services Bureau at the New Jersey Division of Gaming Enforcement.
Threats to cybersecurity are not only external but internal because of employees and contractors who have access to a company’s database.
Nitin Pandey, managing director of the cyber risk advisory practice at Deloitte in New York City, said the internal threat has increased exponentially since COVID-19 when employees began working from home.
Hackers search for the weakest link before launching cyberattacks, Pandey said, and that “usually ends up being — number one — employees.”
In this new mobile era, workers are using more electronic devices, increasing the potential for data breaches which can lead to class action lawsuits.
Feder said it is important for casinos to follow a robust system of best practices in trying to prevent and combat cyberattacks and data breaches.
“Increasingly, today’s best practices are tomorrow’s regulations,” Feder said.
“Sound the alarm … . Make sure that people throughout the corporate structure [of your company] understand that this risk is there and the proper budget allocations are made.”