The protection of consumer data has become a critical issue for U.S. casino and online gaming operators as hackers continue to acquire the bundles of sensitive data the industry collects and stores about its customers, warn regulators and security executives.
“What you are seeing is a huge amount of hacktivists out there targeting people,” said Michael Tobin, CEO and founder of Continent 8 Technologies.
“It is only going to get worse because as artificial intelligence technologies are developed using super computers the [hackers] are going to continue to find techniques to attack,” Tobin said. “There are always going to be bad guys, so you have to be one step ahead of them.”
The U.S. commercial and tribal gaming industries have experienced several incidents over the last two years that have forced casinos in Oklahoma to close, and prompted the FBI Cyber Division to issue a warning over the attacks that shut down a few tribal casinos.
During a panel discussion at the National Council of Legislators from Gaming States (NCLGS) meeting in Las Vegas, Michael Morton, senior policy counsel with the Administration Division of the Nevada Gaming Control Board (NGCB), highlighted several cyber-attacks that have affected gaming companies.
Morton gave an overview of a cyber breach that occurred in 2019 to MGM Resort International when personal identifiable information was stolen from a cloud server owned by the company. More than 10.6m hotel guests had their information compromised by the attack.
In January 2021, Nevada Restaurant Services, parent company to the slot machine parlors known as Dotty’s, discovered malware on certain computer systems owned and operated by the company. Morton said through an internal investigation the company found that the attacker was able to copy information from its systems.
Data held by Dotty's that was potentially compromised included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial accounts and routing numbers, as well as health insurance information, taxpayer identification numbers and credit card numbers.
Probably the most well-known incident in Nevada was in 2014, when Iranian hackers inserted malware into the computer networks of Las Vegas Sands that destroyed almost three quarters of its servers. The attack is reported to have cost the company $40m to recover its data and build new systems.
“What can regulators and legislators do to help prevent these attacks from happening?” Morton asked the gathering of state lawmakers and gaming regulators.
Morton’s appearance at the NCLGS conference on Friday (December 9) came as the Nevada Gaming Commission (NGC) is scheduled to consider final approval of updated cybersecurity regulations designed to ensure operators follow best practices when it comes to data protection.
Among the proposals being considered on December 22 is a recommendation for Nevada licensees to perform an initial risk assessment starting in 2023, and then perform updated risk assessments as needed.
If any breach compromises player data, credit card information and other records, licensees would be required to report the incident to gaming regulators within 72 hours.
Tobin said current trends show denial of service attacks (DoS) are up 400 percent in the last year, while incidents where hackers take over a website have increased 300 percent in the last year and a half.
He urged regulators, policymakers and executives to work together to deal with the issue because gaming companies generally are not cybersecurity experts.
“The processes you need to put in place to monitor are extremely critical and the technology is always changing and needs to be a constant focus for all of us,” Tobin said.
Tobin and Morton were joined on the panel by Josh Chin, managing partner with Net Force and a member of the Cyber Task Force Security Industry Association, as well as Representative Mike Finn, a Democrat from Massachusetts.
Chin reminded attendees that insider threats are also a real threat not only because an employee goes rogue or is disgruntled, but bad actors can offer employees $1,000 for their credentials.
“They are called initial access brokers online that are part of massive crime syndicates who will pay for people’s credentials, and you don’t know who will fall for that,” Chin said. “It could be your executive assistant. It could be the secretary or someone who is just having a really bad day.”
During his career, Chin has acted as an ethical hacker that tries to gain unauthorized access to a computer system, application or data.
“I’ve broken into banks. I’ve broken into U.S. lotteries,” Chin said. “Let me say, without disclosing too much, I walked away a billionaire several times over. Sadly, I had to give the money back or I wouldn’t be sitting here.”
He cautioned that there are people who can get into records and manipulate them. In his role with Net Force, Chin said he has watched in real time as law enforcement officials were writing reports about stolen lottery scratchcards.
“It isn’t hypothetical; this is real,” he added. “The evolution of technology is evolving, and we can’t stop it.”