A second major US gambling operator and Atlantic City casino operator dealt with a cyber attack earlier this month.
Caesars Entertainment says hackers stole customer data, including driver’s license numbers and social security numbers, from a “significant number” of rewards card members, according to a recent US Securities and Exchange Commission filing.
The admission from Reno-based Caesars comes as its biggest competitor, MGM Resorts International, enters the fourth day of fallout from a cyber attack. The same group of international hackers is reportedly taking responsibility for both incidents, although that remains unconfirmed by authorities.
SEC filing details ‘suspicious activity’ with Caesars
Borgata Hotel Casino & Spa, an MGM Resorts property in Atlantic City, has been operating without several information-based systems since Sunday evening. As of Thursday, some of those systems have come back online, but customer access to most MGM Rewards perks, such as comp points, remains limited.
Caesars, meanwhile, operates three casinos in AC — Caesars Atlantic City, Harrah’s Resort Atlantic City, Tropicana Atlantic City — but there were no major disruptions as a result of the digital breach.
According to the SEC filing, Caesars’ IT department noticed “suspicious activity…resulting from a social engineering attack.” Unconfirmed reports say the hackers’ attacks go back to at least Aug. 27. Caesars says that on Sept. 7, it was determined that an “unauthorized user,” obtained its loyalty program database.
Caesars paid tens of millions of dollars in ransom
The difference between the cyber attacks appears to be in how the companies responded. Bloomberg is reporting Caesars paid “tens of millions” of dollars in ransom to the hackers. The company has not confirmed that information.
Thursday morning’s 8-K filing adds some credibility to those reports, with Caesars saying:
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result…We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter.”
Caesars said in the SEC filing that it has seen “no evidence” the stolen data “has been further shared, published, or otherwise misused.” Nonetheless, Caesars is offering credit monitoring and identity theft protection to Caesars Rewards members. The company said it will be notifying members “consistent with our legal obligations” on a rolling basis over the next few weeks.
In terms of online platforms, Caesars has claimed its betting apps have continued to operate as normal — meaning there shouldn’t be any hiccups with Caesars Online Casino NJ.
Updating the MGM fallout
Caesars voluntarily filed the 8-K document with the SEC. Beginning in December, publicly traded companies such as Caesars and MGM will be legally required to notify the SEC of any cybersecurity incidents.
MGM also submitted an 8-K on Sept. 12. The Las Vegas-based gambling operator contacted authorities as well. On Wednesday, the FBI confirmed it was “investigating” the MGM cyber attack. No further details have been provided from either the FBI or MGM Resorts.
The issues with MGM are most felt in Sin City, where the gambling operator oversees some of The Strip’s most notable casinos, including Bellagio, Mandalay Bay and MGM Grand.
Bill Hornbuckle, MGM CEO and president, posted a message on social media Thursday morning, saying, in part:
“…providing our guests with outstanding service is at the heart of who we are as a company. We continue to work diligently to resolve this issue, and that includes increasing our staffing levels across our properties…”