Published: September 24, 2023

Nevada Gaming Commissioner Wants Answers About MGM, Caesars Cyberattacks

Nevada Gaming Commissioner Brian Krolicki, the newest member of the state gaming regulatory who was appointed just in February by Gov. Joe Lombardo (R), believes the commission and possibly the public should be told about the recent cybersecurity breaches at casinos operated by MGM Resorts International and Caesars Entertainment.

Krolicki, a Republican and two-time lieutenant governor and state treasurer, succeeded Commissioner Ben Kieckhefer in the role after he left the agency to become Lombardo’s chief of staff.

Krolicki said at the end of the Nevada Gaming Commission’s nearly five-hour meeting on Thursday that he would like to know more about the cyberattacks levied against MGM and Caesars. The attacks have generated worldwide media coverage.

Info Sought

MGM’s operations remain disrupted from a cyberattack on its IT systems that is thought to have been initiated on Sept. 10.

Though most gaming and resort operations have been restored, casino hotel rooms still cannot be booked online, and reservations can only be amended by calling the property. MGM guests also must check in at the front desk to obtain a physical room key, as digital entry remains unavailable.

Caesars revealed through a filing with the US Securities and Exchange Commission that its Caesars Rewards loyalty program was attacked in August. Caesars paid a ransom in exchange for the hackers agreeing to delete the customer data. The bounty was reportedly $15 million.

A criminal cyber gang called Scattered Spider has taken responsibility for both attacks. Aside from those details, little is publicly known about the cybersecurity events. Krolicki believes the commission should be given answers.

I think it would be important — and certainly enlightening — given the recent events regarding cybersecurity and ransomware and how that impacts our regulatory responsibilities,” Krolicki said. “Right now, the priority is to recover and make sure patrons are made whole and the systems are secure.

“But at some point in time, when there’s the energy and understanding of what just happened, if we could get some kind of briefing on what’s transpired, it would be helpful” Krolicki continued.

The former lieutenant governor said the public should also be made aware of the events if such information is appropriate for public disclosure. Krolicki says the Nevada Gaming Control Board (NGCB), which the Gaming Commission oversees, should additionally consider updated cybersecurity measures to hopefully prevent similar attacks in the future.

Reporting Policies

The Nevada Gaming Commission already requires its licensed casinos to perform an annual risk assessment of its cybersecurity systems. The state also requires licensees to report any data breaches to the NGCB within 72 hours of the event becoming known.

Krolicki wants to know if MGM and Caesars met that deadline and other answers to the many unknown questions.

There are a lot of questions and a lot of publicity. It’s a global story, and I think it would behoove all of us to get a good handle on what happened,” Krolicki concluded.

Since Krolicki made his remarks during the public comment period of the commission’s meeting and because it was not an agenda item, Chair Jennifer Togliatti said the commission “cannot take any action” in regard to his request. The Nevada Gaming Commission next meets on Oct. 4.

© Public Gaming Research Institute. All rights reserved.