Like many companies around the world, the casino and gaming industry has been forced to deal with a growing technological concern over the last few years – cyber attacks. Cyber security has never been a bigger concern as casinos around the world have experienced breaches in recent years.
Harvard Business Review recently reported a 20% increase in data breaches from 2022 to 2023 and that looks to continue going up.
“For many years, organizations have struggled to protect themselves from cyberattacks: companies, universities, and government agencies have expended enormous amounts of resources to secure themselves,” the report noted.
Casinos have also seen a major uptick in cyber attacks in recent years, including some major cases in 2023 with a couple of cases drawing some major headlines.
MGM Resorts
In September 2023, MGM Resorts experienced a cybersecurity attack that left many of the company’s computer systems down. The outage affected company websites, email accounts, reservation systems, and even slot machines at casinos across the U.S.
“MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems,” the company said in a statement at the time. “Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts.”
The company notified law enforcement and also consulted with outside security experts to combat the cyber attack. However, the breech greatly affected the company with casinos reverting back to operations one might have seen years ago – with many transactions and reservations conducted by hand rather than computer. Slot payouts were even made in cash for a time.
After several days, the company began to get things back to normal, but that came with considerable costs financially, with a drop in earnings for the third quarter of about $100 million. Hotel occupancy dropped to 5% compared to September 2022, which actually may not be too bad considering the issues the company faced.
MGM’s Securities and Exchange Commission filing reported that MGM also saw a $10 million one-time expense for technology consulting services, legal fees, and the use of other advisors during the cyber attack. Several lawsuits were also filed against the company.
MGM also said in the filing: “While no company can ever eliminate the risk of a cyber attack, the company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards. These efforts are ongoing.”
The FBI said the attack was the work of a group called “Scattered Spider,” which has cost companies millions of dollars since it began operating in 2021.
Caesars Entertainment
MGM wasn’t the only company to experience an attempted cyber attack in 2023. Caesars Entertainment, the company that operates numerous major casinos including Caesars Palace, Paris Las Vegas, Flamingo, Harrahs, and numerous others, also experienced a cyber attack around the same time as MGM, with hackers demanding a ransom.
The company took a different route to getting back control of the companies’ system, according to the Wall Street Journal, and ultimately paid a $30 million ransom. The high-tech bandits used a similar scheme as with MGM to initially gain control of the company’s systems.
“Hackers used a social-engineering scheme, in which a person pretending to be an employee contacted the company IT help desk to have a password changed,” the Wall Street Journal reported. “Caesars said that the incident resulted from a social engineering attack on an outsourced IT support vendor, without providing further detail on ‘the unauthorized actor’ responsible for it.”
The company quickly activated response protocols for this type of situation and enacted containment and remediation measures for Caesars computer systems. Management was able to gain back its systems completely after paying the ransom, according to reports.
The Journal noted: “Hotels and casinos are potentially lucrative targets for hackers because of the amount of personal and financial data they collect from customers.”
Shutting Down in Canada
American gaming companies haven’t been the only gaming and casino operators affected by cyber crime and a major case in Canada offers a look at how these cases can hurt employees. In April 2023, Gateway Casinos and Entertainment shut down casinos all across the province of Ontario after undergoing a ransomware attack.
The shutdowns lasted two weeks and greatly affected Gateway employees in the province, who weren’t able to work. The company operates gaming properties in British Columbia, Ontario, and Alberta and has annual revenues of more than $200 million. Management brought in outside experts to help regain access to computer systems and to protect customer data.
Some of the recent cyber attacks against gaming firms point to what should be a growing concern, according to a report from web performance and security firm Cloudflare.
“Over 5.41% of the total DDoS attack traffic recorded by Cloudflare in Q3 (2023) targeted gambling and gaming sites, taking over the cryptocurrency sector that was previously the most targeted,” Canadian Gaming and Business noted. “Looking at specific regions, Cloudflare reported a 10% increase in Canadian cyberattacks year-on-year. Canada ranks fifth globally for DDoS attack traffic, behind the US, Singapore, Vietnam, and China. In total, Canada is responsible for a 1.687% share of all DDoS traffic globally.
Other Hacking Cases
There have been more casino and gaming-related cyber security breaches in recent years as well. In February, Arizona’s Casino Del Sol in the U.S. was the victim of an attempted cyber attack and faced serious disruptions to the property’s computer systems. The attack affected the casino’s phone systems, bingo operations, rewards club, and more.
As noted, online operators have not been immune to these types of attacks as well. In September 2023, CoinTelegraph.com reported that a major crypto gambling site lost $41 million after being hacked. The site reported that the gaming site was drained of three different cryptocurrencies to an account that had previously seen no activity.
“Crypto gambling site Stake experienced $41 million in withdrawals on Sept. 4 in what blockchain security analysts have called ‘suspicious outflows,’” CoinTelegraph reported. “The withdrawing account has been labeled ‘Stake.com Hacker’ by Etherscan, implying that the drained funds may be the result of a stolen private key.”
In November 2023, Mexican online gaming operator Strendus allegedly left open access to numerous users’ personal data in what some media reports have called a “rookie mistake.” Cybernews reported that the “data was likely compromised by unauthorized actors.”
The site reported that significant personal data was available including names, home addresses, phone numbers, government ID numbers, email addresses, IP addresses, and more.
In 2002, one of the world’s largest online poker operators also experienced a serious setback after being cyber attacked. The attempted hack occurred during a major online poker series and left the company forced to reschedule many events.
No doubt casinos and other gaming entities will be targets in the coming years and technology staff members must remain vigilant in the war against these high-tech criminals.
“As the technology we use advances and progresses, the enormous potential for cyber crime also grows,” business insurance firm Embroker notes. “Not only is the number of cyber attacks growing, but incidents are becoming more sophisticated and dangerous. Cybercrime costs are on the rise, and it is expected to cost the world more than $24 trillion by 2027.”
