Casino company Caesars Entertainment Inc on Thursday joined Las Vegas gambling rival MGM Resorts International in reporting a cyberattack, but added in a report to federal regulators that its casinos and online Operations were not disrupted.
The publicly traded Reno-based company told the federal Securities and Exchange Commission that it cannot guarantee the personal information of tens of millions of customers is secure following a Sept. 7 data breach that may have exposed driver’s licenses and loyalty rewards Social Security number of a member.
“We have taken steps to ensure that unauthorized actors delete stolen data, although we cannot guarantee this outcome,” the company said.
Brett Callow, a threat analyst at New Zealand cybersecurity firm Emsisoft, said it was unclear whether a ransom was paid or who was responsible for the intrusion and the attack reported by MGM Resorts on Monday.
“Unofficially, we saw a group called Scattered Spiders claiming responsibility,” Carlo said. “Their native language appears to be English and they are affiliated with a Russian company called ALPHV or BlackCat.”
Charles Carmakal, chief technology officer at cybersecurity firm Mandiant, said the scatter spider is also known as UNC3944. He called the group’s recent attacks on hospitality and entertainment organizations “incredibly destructive and aggressive.”
“The espionage techniques they leveraged would be a challenge for many organizations with sophisticated security programs,” Karmakar said in a statement.
Mandiant said in a blog analysis published Thursday that the group used text message phishing and phone calls to help desks in an attempt to obtain password reset or multi-factor bypass codes.
“This relatively new entrant to the ransomware industry has attacked at least 100 organizations, the majority of which are located in the United States and Canada,” Mandiant said.
Caesars is the world’s largest casino owner, with more than 65 million Caesars Rewards members and properties in 18 states and Canada under the Caesars, Harrah’s, Horseshoe and Eldorado brands. It also has mobile and online operations as well as sports betting. Company officials did not respond to emailed questions from The Associated Press.
Loyalty program customers will receive credit monitoring and identity theft protection, the company told the Securities and Exchange Commission.
The company reported that there was no evidence that the intruders obtained member passwords or bank account and payment card information, adding that the casino and online operations “were not affected by this incident and will experience no disruption.”
Caesars’ disclosure comes after MGM Resorts International, Las Vegas’ largest casino company, publicly reported on Monday that a cyberattack detected on Sunday led the company to shut down computer systems at hotels across the U.S. to protect data. .
MGM Resorts said reservations and casino floors in Las Vegas and other states were affected. Customers shared stories on social media of being unable to make credit card transactions, withdraw money from cash machines or enter hotel rooms. Some video slot machines are pitch black.
MGM Resorts has approximately 40 million loyalty rewards members and tens of thousands of hotel rooms in Las Vegas, including the MGM Grand, Bellagio, Aria and Mandalay Bay. The company also operates properties in China and Macau.
A company report filed with the U.S. Securities and Exchange Commission on Tuesday pointed to a news release it issued on Monday. The FBI said the investigation is ongoing but did not provide additional information.
Some computer systems at MGM Resorts remained down Thursday, including hotel reservations and payroll. But company spokesman Brian Ahern said it expects its 75,000 employees in the United States and abroad to be paid on time.
Carlo said by phone from British Columbia, Canada, that most media coverage of the incidents was speculative because the information appeared to come from the same entity that claimed to have carried out the attacks. He said recovery from a cyberattack could take months.
Carlo pointed to reports that Caesars Entertainment was asked to pay $30 million to secure its data, which he found “credible,” and that Caesars Entertainment may have paid $15 million. He also noted that the company did not describe in the SEC report the steps it took to secure the stolen data.
Carlo said the highest ransom believed to have been paid by insurance giant CNA Financial to cyber attackers after a data breach in March 2021 was $40 million.
“In these cases, organizations are essentially paying to get a ‘pinky promise,'” he said. “There’s no way to really know if (the hackers) deleted (the stolen data) or if it wasn’t used elsewhere.”