The Top Cybersecurity Hacks in Casinos and Gaming

Casinos, especially those on the iconic Las Vegas Strip, are renowned for their exceptional physical security. Unfortunately, as cyberattacks become an increasingly prevalent threat across all industries, casinos now need to invest the same rigorous infrastructure in their cybersecurity standards. The reality is that casinos have become ideal targets for malicious actors, leading to high-profile breaches and significant losses in revenue.

According to the American Gaming Association, the casino gaming industry contributes almost $329 billion in economic activity to the U.S. annually, making cyber attacks against casinos highly disruptive. As casinos continue to adapt to technological advancements and leverage technology to offer new avenues for gambling and gaming, understanding and addressing cyber threats becomes imperative.

The High Stakes of Cybersecurity for Casinos

The idea of criminals successfully scamming a casino out of millions may seem like the far-flung plot of “Ocean’s 11.” However, the rapid digitization of the economy has forced casinos to adopt new means of connectivity, and in turn, impacting how secure they are from persistent cyber threats. These threats have led to disruptions in hotel operations and the compromise of sensitive guest information.

In reality, casinos are ideal targets for cyberattacks for multiple reasons:

Vast amounts of personal data

Casinos collect and retain a large volume of valuable data about patrons, including financial details, login credentials, and personal information tied to loyalty programs. These vast datasets may include credit card numbers, bank account information, transaction histories, and preferences related to gameplay and spending habits. Additionally, patrons’ personally identifiable information (PII), such as driver’s licenses or social security numbers, may be stored to comply with regulatory requirements. With such a comprehensive profile of each patron, it’s hardly a surprise that actors view these institutions as rich sources for credit card fraud, identity theft, and other forms of financial crime. Gaining access to this information can enable exploitation across multiple platforms.

New IoT Threats

Casinos increasingly rely on Internet of Things (IoT) devices to enhance guest experiences, streamline operations, and improve security. However, integrating IoT devices within casinos also presents new cybersecurity challenges.

Threat actors are well-known for exploiting any possible vulnerability to gain access to a network, and in 2017, they exploited a casino’s internet-connected fish tank. The fish tank had an insecure smart thermostat connected to the casino’s network to monitor and regulate the water temperature and environment for the fish. The unusual activity was spotted quickly, but not before the threat actors successfully exfiltrated sensitive guest information.

While IoT devices offer a multitude of conveniences for both casinos and guests, they often lack robust cybersecurity controls. Ensuring IoT devices are secured is vital, as they are frequently accessible via the public internet and can provide malicious actors with easy access to the broader network, leading to data breaches and the disruption of casino operations.

Numerous Avenues for Attacks

Casinos are designed to keep guests inside, and as a result, they are sprawling enterprises of interconnected systems spanning gaming floors, hotels, and entertainment areas—each a potential opportunity for cyberattacks.

Threat actors can exploit weaknesses in casino security systems, infiltrate hotel operations, or even leverage access from third-party vendors. Vendors often pose a risk, as they might not adhere to robust security standards but generally retain a level of trusted access. Vendors supplying services such as electronic payment systems, maintenance for IoT devices, or loyalty program management often have varying levels of access to the casino’s network, creating indirect channels that hackers can exploit.

Pressure to Resume Operational Status

Understandably, casinos will likely experience increased pressure to quickly resolve any business disruptions that often accompany a cyberattack and protect the guest experience. The pressure to maintain operations and uphold a positive reputation can result in casinos choosing expedient solutions rather than prolonged downtimes. When faced with a highly disruptive cyberattack such as ransomware, casinos might gravitate toward paying a ransom or attempting to negotiate with the threat actors to secure their systems and preserve their financial standing.

Already, there have been multiple high-profile breaches impacting major casinos and resulting in significant financial losses.

Top 5 Cyber Attacks Against Casinos

In 2023, the FBI warned of increased cyber attacks, most notably ransomware, against casinos. While the attacks frequently targeted small tribal casinos, some big players in the gambling industry have also been hit by disruptive attacks, including hotel giants and online gambling sites

Caesars Entertainment

In September 2023, Caesars Entertainment disclosed they had fallen victim to a cyber incident in a mandatory SEC filing. Threat actors stole customer information from its guest rewards database after successfully phishing a third-party vendor.

Caesars made a $15 million payment to the threat actors to prevent the release of sensitive guest data; however, paying a ransom never guarantees that the threat actors won’t leak the stolen data anyway. As a result of the incident, Caesars faced multiple class action lawsuits.

MGM Casinos

In September 2023, MGM Resorts reported a cyber disruption, which known ransomware group Scattered Spider or ALPHV publicly claimed credit for. Like Caesar’s, the MGM incident was also a result of a social engineering attack. Although never confirmed, it has been widely speculated that after gaining access, the threat actors launched a ransomware attack to disrupt casino operations.

For days following the breach, MGM Resorts properties were forced into manual operations. Hotel room digital key cards and slot machines weren’t working, and guests waited in long lines for physical key cards or handwritten receipts for casino winnings. Normal operations resumed after about ten days, and the downtime allegedly cost $100 mil.

Notably, MGM Resorts also suffered a cyber attack in 2019 where the data of 10.6 million guests was stolen.

Mariana Bay Sands

On October 20, 2023, Marina Bay Sands, a casino and hotel in Singapore owned by Las Vegas Sand Corp., suffered a cyber incident. The incident led to the exposure of the personal data of about 665,000 non-casino rewards program members. The casino said they had no evidence that guest information had been misused by the threat actors.

Crown Resorts

In 2017, Crown Resorts in Austria suffered a cyber attack after threat actors exploited the vulnerability in GoAnywhere, a managed file transfer software program. The attack against Crown was part of a global spree perpetuated by the Cl0p ransomware gang, which claimed more than 130 victims globally. While Crown said no customer data was compromised, this attack highlights the sprawling landscape of risks modern casinos face.

Betfair

Much like physical casinos, online casinos also face increased risks of cyberattacks. Betfair, an online betting exchange, experienced a cyber attack in 2010 that saw threat actors steal 3.2 million account details. Betfair reported the attack a year later, in 2011, and their security chief ultimately resigned.

Best Practices to Avoid Casino Cyber Attacks

Casinos have large attack surfaces, including security systems, servers, traditional IT equipment, and IoT devices. Security and IT teams must monitor the totality of the casino’s attack surface. Generally, this begins with a robust device inventory and risk assessment so teams can understand what devices are on the network and how they communicate with other devices on the network and externally. Understanding the regular behaviors of devices allows teams to quickly respond to anomalous behavior, such as data being exfiltrated through a smart fish tank thermometer. Additionally, having a detailed understanding of all devices on the network allows teams to apply a risk-based approach to updating and patching, quickly securing the most at-risk devices.

While it isn’t feasible to thoroughly monitor third-party vendors’ security posture, they should understand how vendors connect to their network and what access they have. Targeted network segmentation can be a meaningful tool to allow third parties the access they need while limiting potential damage.

Additionally, any cyber attacks against casinos have involved social engineering and phishing. Using multi-factor authentication (MFA) and educating staff on identifying and reporting phishing attacks is critical.

How Asimily Helps Secure Casinos 

As casinos continue to embrace technological advancements, they will continue to face new cybersecurity challenges and remain attractive targets for malicious actors. All gaming and gambling establishments need to understand the criticality of securing their assets against opportunistic threat actors so they can focus on providing a superior customer experience.

Asimily was built to address complex IoT risks, even for large, complex organizations like casinos. Asimily’s inventory and vulnerability detection capabilities are built to monitor traffic to and from IoT equipment and proactively identify security fixes. Locking down traffic and monitoring for anomalous behavior is a powerful tool.

In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.