Caesars Entertainment, Inc. (the “Company,” “we,” or “our”) recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company. Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.
After detecting the suspicious activity, we quickly activated our incident response protocols and implemented a series of containment and remediation measures to reinforce the security of our information technology network. We also launched an investigation, engaged leading cybersecurity firms to assist, and notified law enforcement and state gaming regulators. As a result of our investigation, on September 7, 2023, we determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database. We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor. We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.
We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program. To sign up for these services, members may call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.
Additionally, we will be notifying individuals affected by this incident consistent with our legal obligations. These notifications will be made on a rolling basis in the coming weeks. In the meantime, individuals with questions may contact the dedicated incident response line we have established to address questions about this incident, which can be reached at (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.
While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents. These efforts are ongoing. We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems.
We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined. Although we are unable to predict the full impact of this incident on guest behavior in the future, including whether a change in our guests’ behavior could negatively impact our financial condition and results of operations on an ongoing basis, we currently do not expect that it will have a material effect on the Company’s financial condition and results of operations.
The trust of our valued guests and members is deeply important to us, and we regret any concern or inconvenience this may cause.
For additional information, please visit https://response.idx.us/caesars. Information set forth on that website is not incorporated herein by reference.
US leisure and hospitality giant MGM Resorts is battling through an IT outage after a cyber attack forced it to take multiple systems down across its properties, leaving front desk and concierge services to fall back on pen and paper, rendering slot machines on its gaming floors inoperable, and supposedly locking guests out of their rooms.
The incident, which appears to have begun on Sunday 10 September, affected resorts all over the US, including several of the most prominent casinos on the renowned Las Vegas Strip, including the Bellagio, Excalibur, Luxor, Mandalay Bay, the MGM Grand and New York New York.
In a statement posted to X, the website formerly known as Twitter, the organisation said: “MGM Resorts recently identified a cyber security issue affecting some of the company’s systems.
“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cyber security experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
At the time of writing, MGM’s main website remains inaccessible and the organisation is asking guests to contact it via telephone. The firm said its resorts, including dining, entertainment and gaming services are operational. It also denied suggestions that guests had been locked out of their rooms and suites.
The exact nature of the breach remains undisclosed for the time being – although Nevada has very strict breach reporting laws on its books. The fact that MGM Resorts appears to have pulled multiple systems offline strongly suggests its IT and security teams are trying to contain a ransomware attack.
Ryan McConechy, CTO of Barrier Networks, said that taking systems offline was a routine move at organisations that run large and complex networks, but until MGM provided more information, the exact reason would remain unclear.
“It is very costly move,” said McConechy. “For every minute the gaming floor was down, MGM was losing money. Likewise, with reservations and their websites still being down, the company continues to suffer massive financial losses.
“Understandably, this may be to prevent active attackers pivoting or malware spreading, but when organisations segment their networks effectively, this scale of downtime can usually be avoided,” McConechy told Computer Weekly in emailed comments.
“Organisations must work to segment their assets, so no attacker can ever reach everything at once. This stops the risks of malware spreading and means when incidents do occur, they can be more easily identified and contained without impacting other network areas, which saves significant financial losses caused by downtime,” he added.
Deep-rooted cyber issues Erfan Shadabi, a cyber security expert at Comforte AG, said the attack spoke to more deep-rooted security issues within the hospitality sector.
“In an era where digital transformation is reshaping the way the tourism industry operates, the reliance on interconnected systems and data-driven processes has never been greater,” he said. “As such, the sector becomes an attractive target for cyber criminals seeking financial gain or to exploit vulnerabilities for malicious purposes.
“The MGM Resorts incident is emblematic of this overarching challenge. Recognising the pivotal role technology plays in enhancing guest experiences, optimising operations, and facilitating global connectivity, the tourism industry must allocate resources to bolster its cyber security posture.”
In a report released last week, Trustwave’s research unit SpiderLabs revealed that 31% of hospitality organisations have reported a data breach, of which 89% have been affected multiple times in the space of a year.
The report outlined some of the cyber security challenges unique to the hospitality sector, such as a seasonal and less sophisticated workforce, constant turnover of users, ‘dirty’ networks open to the public, and physical security issues.
At the same time, the hospitality sector has been embracing new technologies such as the use of generative AI to improve guest experiences, as well as contactless payments, and an increasing reliance on third-party technology services providers, all of which increase risk.
“In an industry where guest satisfaction and reputation are paramount, staying secure while offering cutting-edge technology is a delicate balancing act,” observed Trustwave CISO Kory Daniels.
Read more about ransomware