Following the high-profile attacks on MGM Resorts International and Caesars Entertainment, cybersecurity has never been more top of mind in the U.S. gaming industry as executives warn that traditional on-premises information technology infrastructure is no longer sufficient to protect against evolving threats.
The incorporation of new technologies into casinos, as well as the fact that casino-resorts are no longer seen strictly as a place just to gamble, has created multiple touch points across the business for the “perpetrator, that is the bad guys, the ability to infiltrate in many different places in a typical casino,” warns Salil Kulkarni, former executive vice president and chief information officer with Caesars.
Kulkarni stressed that gone are the days when the casino had slot machines sitting on the casino floor plugged into an electrical outlet, having shifted to a computer network connected to many different places on-premises and the cloud, with multiple penetration points from a cybersecurity perspective.
Kulkarni participated Thursday (October 19) in an hour-long webinar hosted by Vector Solutions discussing gaming’s cybersecurity vulnerabilities.
He was joined by Brent Hutfless, executive director of IT security with Wind Creek Hospitality, owned by the Poarch Creek Indians in Alabama; Michael Calvin, chief technology officer at Kinectify; and Mac Quig, Azure Leader Tribal Nations at Microsoft.
Kulkarni was asked what made casinos vulnerable and such an attractive target for cyber criminals.
Similar to a lot of other industries, Kulkarni said, the infrastructure of a casino is both old and new.
“In some cases, it is very old … and that old infrastructure simply wasn’t designed with cybersecurity in mind. Modern technology, including the cloud, was architected with security in mind and more specifically cybersecurity in mind, not just physical security.”
Kulkarni stressed that when casino systems are designed with cybersecurity in mind, it is easier to achieve it.
“It doesn’t guarantee it, but it is far easier to achieve it. It is very difficult to do that with old infrastructure,” he added.
Calvin said there are a few things that make gaming and casinos a ripe target for cyberattacks.
He said the first one being the perception that they are very cash rich and have the funds to pay for something like a ransomware attack, whether that is truly the case or not.
“So, they are someone who had the resources the attackers want,” Calvin said. “They are also organizations that collect exactly the type of data that cyber attackers would want. They have highly sensitive personal identifying information (PII) to support government filings and to track things like income metrics.”
Calvin added that casinos' large employee bases that are difficult to effectively train also make them a ripe target for social engineering attacks.
The social engineering attacks on Caesars and MGM were successful after hackers targeted employees claiming they needed to re-authenticate their identities or update account information.
Kulkarni, who left Caesars in 2020 after the company’s acquisition by Eldorado Resorts, reminded webinar attendees that Caesars' casino business had been open every day, until the COVID-19 pandemic, since 1966.
“So, when you talk about an organization that is open all the time, 24 by 7 by 365,” Kulkarni said. “That means you have to be secure 24 by 7 by 365 through all the changes in technology, infrastructure, customers, etc. The perpetrators know that. We have to keep that in mind as we secure our borders.”
Hutfless of Wind Creek Hospitality admitted that the recent attacks were a “rude awakening.”
“The recent headlines captured most of our vulnerability, but ... there have been a number of issues that have come up, whether it was a ransomware attack or another type of hack,” Hutfless said. “It has been hitting operators pretty heavily over the last years.”
Hutfless said that although the gaming industry has started to recognize the issue, it is going to be taken out of industry’s hands.
He noted the U.S. Securities and Exchange Commission (SEC) adopted new regulations earlier this year requiring the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy and governance by public companies.
“When you think of the sheer number of publicly traded companies, it’s not just in the gaming and hospitality space that fall under the SEC, this is a significant change,” Hutfless said.
“Industry doesn’t like it when government steps in, but I think the government at this point has seen enough impact on our industries that felt they needed to make this change,” he added.