The cybersecurity risks faced by the gaming industry are well-known, as hackers continue to successfully target operators in an effort to acquire sensitive customer data and hold it for ransom, with a former FBI chief warning of greater threats to come.
“I like to say that over the last three years what firms have been facing is an onslaught,” said Mike Welch, former deputy assistant director for the FBI Cyber Division. “Most firms are overwhelmed and overwhelmed for many reasons.”
Despite the increased risks, Welch said cybersecurity departments are still underfunded and understaffed.
“That creates vulnerabilities everyday across the board,” said Welch, a partner with AlixPartners who spoke to industry executives regarding risks from cybersecurity, organized crime and illegal gambling at ICE last week in London.
“So, when we move in … of the basics required as you engage your [information technology] team, is there a response plan that everyone knows from top to bottom, who needs to make the decisions and what are the responsibilities along with why.”
Welch said cybersecurity experts inevitably find that companies do not have a clear response plan for a cybersecurity attack where there is a clear line of decision making and responsibilities.
“At least 35 percent of you sitting in this room are going to have to deal with that in 2024. This is a fact,” Welch said. “Not only is this onslaught going to continue, but the technology also associated with all these frauds that are being perpetrated through cyberattacks … is being enhanced primarily by artificial intelligence.”
Welch stressed that law enforcement is going to be playing catch-up with cybercriminals for a period of time because of the advances in AI. In a couple of years, however, AI will allow law enforcement and compliance departments to better identify and respond to an attack.
“The complexity and volume of the attacks taking place on a daily basis, which I think is every 30 seconds there is an attack across the globe … has overwhelmed so many companies along the way,” Welch told ICE delegates.
Cyberattacks on tribal and commercial gaming companies have become more complex and frequent over the last few years, causing damage to internal control systems and costing millions to repair and bring systems back online.
MGM Resorts International and Caesars Entertainment last year endured ransomware attacks by a group known as “Scattered Spider.” Caesars acknowledged paying an undisclosed sum to end the attack.
MGM took a different approach that resulted in ten days of computer issues that affected its employees and guests, and ultimately cost the company $100m, which was covered by insurance. Caesars said its payment was also covered by a cyber insurance policy.
At least a half dozen tribal casinos in Oklahoma were forced to close after their operations were disrupted by ransomware attacks. The National Indian Gaming Commission (NIGC) issued an advisory in September highlighting its three-prong approach to cybersecurity, including an emphasis on administrative, physical and technical controls.
A cyberattack last year on Gateway Casinos and Entertainment forced one of Canada’s largest gaming companies to shut down 14 of its 31 casinos across British Columbia, Ontario and Alberta for more than a week while technology experts worked to restore their IT systems.
“Of all the matters that we are engaged in, I’ve said ransomware not only is the most complex, but it is the most damaging and generally recoups the most rewards for various groups,” Welch said.
Welch cautioned gaming executives and regulators that ransomware is now being sold as a service.
“Why is that dangerous? Because you have individuals that pay anywhere between $20,000 to $200,000 to have one of these very complex organized crime startups walk you through an attack,” he said.
“Not only [do they] help you identify your target but also implement the ransomware from start to finish, all the way through you receiving your Bitcoin payment,” Welch added. “It’s extremely dangerous.”
He told ICE attendees that these groups bring in a whole new category of individuals that previously could not engage in ransomware because they lacked the technical skills, and now, they have people to teach them and walk them through the ransomware attack.
“So, it is really creating more of a harmful environment,” Welch said.
Welch was joined for the half-hour discussion by Louis J. Freeh, a partner and managing director at AlixPartners and a former FBI director.
Additional reporting by Harrison Sayers.