Caesars Entertainment, self-described as the largest U.S. casino chain with the most extensive loyalty program in the industry, says it paid a ransom to avoid the online leak of customer data stolen in a recent cyberattack.
The attack was reportedly perpetrated by a group called Scattered Spider (aka UNC 3944), a group skilled at using social engineering to bypass corporate network security. It's the second notable attack of a Las Vegas casino group, following a hack that caused a cyber outage at MGM Resorts.
Caesars said in an 8-K notice with federal regulators filed before markets opened on Thursday that hackers stole a copy of the company’s loyalty program database, which includes driver license numbers and Social Security numbers for a “significant number of members.” Public companies are obligated to file 8-K notices when an event or incident has a material effect on their businesses.
Caesars' 8-K also implies that a ransom demanded by the attackers was paid to prevent the leak of the stolen data online—a Wall Street Journal report says the hotel and casino entertainment company paid roughly $15 million, half of the attackers' initial $30 million demand.
"We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result," Caesars said.
"We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused."
From the new Form 8-K, it appears the hackers breached a third-party IT vendor to gain access to Caesar’s. While Caesar’s neither identified the vendor nor the nature of the services it provided Caesar’s, we can assume, in light of the nature of the third-party’s access, that it was a vendor that provided critical services, and was engaged to ensure the smooth operation of a company's digital ecosystem.
Caesars said its core customer-facing operations – both online platforms and physical locations – remained untouched and operations continued without disruption.
The company said it has also taken steps to ensure that the specific outsourced IT support vendor involved implements corrective measures to protect against future attacks that could pose a threat to its systems.
To think that to hack into a casino, an institution notorious for its inviolable security mechanisms and protocols, cyber-criminals needed only to employ a few human manipulation tactics is jarring.
Nevertheless, a few lessons can be learnt from the incident.
Mitigating Social Engineering Risks Involving Third-Party Vendors
To protect against social engineering attacks on outsourced vendors and the extra vulnerabilities they introduce, companies should implement comprehensive security measures:
Security Awareness Training: Conduct regular security awareness training for all employees, including training specific to identifying and responding to social engineering attacks.
Multi-Factor Authentication (MFA): Require MFA for accessing sensitive systems and data, adding an extra layer of security even if an attacker obtains login credentials.
Vendor Assessment and Monitoring: Perform due diligence when selecting vendors. Continuously assess their security practices and monitor their activities to ensure compliance with security policies.
Clear Access Controls: Implement strict access controls, limiting the permissions of support personnel to only what is necessary for their tasks.
Incident Response Plans: Develop and regularly update incident response plans that specifically address social engineering attacks. Test these plans to ensure they are effective.
Physical Security Measures: Enhance physical security by implementing measures to prevent unauthorized access to company premises, including visitor logs, access badges, and escort policies.
Regular Auditing: Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in the security posture.
Encryption and Secure Communication: Encourage the use of encryption for communication channels between the company and IT support vendors to protect against eavesdropping.
No matter how impervious your own security measures might be – whether it’s a casino safe or a list of casino clients or law firm’s clients’ data - social engineering attacks targeting outsourced third-party vendors are a significant cybersecurity threat that organizations must address.
To defend against these threats, avoid fines, safeguard your clients data and preserve your brand companies must adopt a holistic approach to cybersecurity, combining technical safeguards with security training and perpetual vendor assessments.