Caesars Entertainment, a major player in the integrated hotel and casino industry, has confirmed a significant data breach resulting from a recent cyberattack. The breach, which came to light following reports in the media, saw hackers gain unauthorized access to a vast database containing customer information, including driver’s license numbers and Social Security numbers. Caesars filed an 8-K notice with federal regulators, as required by public companies when an event materially impacts their operations, to disclose the breach.
Stolen data and uncertain impact
While Caesars Entertainment confirmed that the cyberattack had compromised its loyalty program database, the company did not specify the extent of the data stolen beyond this. Furthermore, it remains unclear how many individuals have been affected by the breach. In its official statement, Caesars revealed that they had taken steps to ensure the unauthorized actor deletes the stolen data. However, they acknowledged that guaranteeing the success of this effort is challenging, hinting at a possible ransom payment.
Ransom payment speculations
Reports suggest that the hackers responsible for the breach demanded a $30 million ransom from Caesars Entertainment, with the company allegedly paying approximately half of the sum to prevent the disclosure of stolen data. These claims emerged after Bloomberg initially reported the incident, followed by confirmation from The Wall Street Journal. Caesars spokesperson Robert Jarrett has not yet commented on these reports.
Social engineering and cyberattack details
In a separate data breach notice, Caesars disclosed that the cyberattack resulted from social engineering tactics employed on an external IT vendor, although the vendor’s identity remains undisclosed. According to sources, the hacking group behind the attack, known as Scattered Spider or UNC3944, initiated their efforts in late August. Scattered Spider is notorious for leveraging social engineering methods to deceive employees into granting access to corporate networks. Reports suggest that the group comprises young adults and teenagers, bearing similarities to other hacking and extortion collectives like Lapsus$.
Interestingly, a representative from Scattered Spider denied their involvement in the attack on Caesars but claimed responsibility for a cyberattack on MGM Resorts, another major player in the industry.
Multiple hacks in the casino industry
This incident marks the second high-profile data breach targeting hotel and casino giants in recent weeks. MGM Resorts reported a “cybersecurity issue” earlier this week, with its systems still experiencing outages and showing no signs of immediate recovery. MGM has not responded to inquiries via email and phone, and the status of their corporate phone lines remains uncertain.
The Federal Bureau of Investigation (FBI) declined to comment on the Caesars incident, including whether they were aware of it or conducting an investigation. While the FBI is investigating the MGM cyberattack, they have not provided additional details on the matter.
Caesars Entertainment has reported the breach to law enforcement, though U.S. authorities have consistently advised victims of cyberattacks and extortion not to comply with ransom demands. The situation continues to unfold as both Caesars Entertainment and MGM Resorts grapple with the aftermath of these security breaches.