Caesars becomes latest operator to suffer a cyberattack following MGM Resorts hack
Operator confirms in SEC filing that personal data including driver’s license and social security numbers in loyalty program information extracted by hackers
Caesars Entertainment has confirmed it has been the subject of a cyberattack in which personal data belonging to a “significant number” of its customers was stolen by an unnamed criminal group.
Reporting the breach to the Securities and Exchange Commission (SEC), the operator revealed it had been the subject of a so-called “social engineering” attack on an outsourced IT vendor used by the company.
Data stolen includes a copy of the Caesars Rewards loyalty database, including driver’s license numbers and social security numbers, with the firm still investigating the true extent of the breach.
Caesars has however confirmed that no member passwords, PINs, bank account, or payment card information was included in the stolen data.
The operator confirmed that after detecting the suspicious activity, it implemented a full investigation as well as incident response protocols designed to reinforce the firm’s data security.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in an 8-K SEC filing.
While not disclosing these steps, unconfirmed media reports in the Associated Press suggest Caesars may have paid as much as $30m to the hackers to ensure the data remains confidential.
“We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program,” the operator added.
Caesars has confirmed all affected customers will be notified on a rolling basis over the next few weeks, with the operator instigating an incident response line which customers affected by the breach can call.
“While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents,” Caesars remarked.
“These efforts are ongoing. We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems.
“The trust of our valued guests and members is deeply important to us, and we regret any concern or inconvenience this may cause,” the operator concluded.
On Sunday (September 10), Caesars rival MGM Resorts reported a broadbase cyberattack which crippled its land-based casino empire, leading the firm to shut down its entire IT infrastructure to protect customer data.
Customer reservations, on-site cash withdrawals, as well as slots machines on casino floors are understood to have been unusable, with up to 30 venues thought to be affected.
Reports on Reuters have identified a hacking group called “Scattered Spider” as being responsible for the cyberattack, however these have not been confirmed by the operator.