Every business that deals with money is vulnerable to cyberattacks.
But the gaming industry – because of its complexity and multiple points of entry – is particularly at risk. MGM Resorts International was attacked in 2023, as was Caesars International. Station Casinos suffered a major breach this year.
“(The gaming industry) has been around (since) pre-digital,” Kinectify Chief Technology Officer Mike Calvin said during a CDC Gaming Roundtable. “They’ve had to grow their systems and adapt to new technologies and in ways that online gaming, for example, hasn’t had to, which leaves them with analog and potentially outdated systems running in their environments. I don’t want to say (they are) slow to adopt, but maybe kind of behind the power curve on cloud adoption.”
Casino operators certainly are aware of cybersecurity attacks. The question is their commitment to commensurate investments in preventing intrusions.
Cybersecurity expert Tyler Martin notes the rate of adoption for security measures often fails to keep pace with technological advancements.
“They’re not just trying to protect the gaming floor. They’re trying to protect their POS (point-of-sale) systems, their hospitality systems, all these other pieces,” Martin said. “They’re interconnected and intertwined so much, so it really just kind of becomes like, okay, we’re going to shore up our technology, new infrastructure, or whatever it is on these select systems, and as soon as they do that, we now have things like AI or these other emerging technologies that are showing face front and center.
“Realistically, they’re never going to get in front of that or ahead of that. So what you find typically is sort of maybe the opposite of your question of ‘yes, we are aware of these things.’ What level of compensated controls or risk acceptance are we okay with that ultimately allows us to fix them over time, given the typical budget constraints that we see with cybersecurity.”
DruStar Executive Vice President of Client Strategy and Growth Melissa Aarskaug says that during meetings with operators, she comes away with the same impression: Cybersecurity software is nice to have, but not the first thing a CEO thinks of when compiling necessities.
“When I think of a casino, they have to have slot machines,” Aarskaug said. “A lot of times they were forced into sports betting because their neighboring casino had it, and they didn’t have it. They have to have point-of-sale terminals to run food and beverage. These are things they have to have. Cybersecurity, data security, is secondary to that. They’re going to a buy an AC unit before they but a security assessment or a security tool.”
The quest for cybersecurity is particularly acute among small operators and casinos. Smaller organizations, according to Calvin, will outsource cybersecurity functions, “which reduces their control,” he said.
“But it also reduces their risk for the surface area for where these cybersecurity attacks can come from. From my perspective, though, it’s really not about the technology causing the cybersecurity risk, because as we all know … it’s easier to initiate a hack with a phone call than it is with some bot that you’re running against their infrastructure.”
Indeed, the easiest way to breach a cybersecurity wall is via humans. Martin said anyone – from a front-line employee to a vice president – can inadvertently, or tacitly – supply access to a casino.
Martin considers them to be “inside threats.”
“This is not outside coming in,” Martin said. “This someone wants to get some sort of advantage, whether it be a competitive advantage, or it could be malicious. You name it. They’re looking inside and preying on people that may be unhappy in their role.”
Other casino systems, from point of sale to food and beverage to concierge, also can be targets.
“If that’s just so out of date; that’s where they’re going to focus,” Martin added. “That’s the entry point, and then from there, the rest could be history because they’re just going to move laterally across the whole environment.”
Aarskaug notes that she has been involved in thousands of cybersecurity projects, and in the past year, she’s developed a different viewpoint. She’s conducted multiple regulatory audits, and Aarskaug used to look at how cyber criminals would target player data.
But if Aarkaug was trying to breach casino security, it would be via employee data.
“Think about how much turnover a casino has, constant turnover, setting up email boxes, shutting email boxes down,” Aarskaug says. “That data goes from one person’s SharePoint to another, and we’re just kind of keeping SharePoint links open, attachments open. There’s a lot of open holes, and I believe I would go after the data because the casinos don’t want their data out there, whether that’s their IP, their employee information, their players. I would start gathering that through LinkedIn, through where I could get in. It’s easy because everybody’s data is online. Who works where, and what do they do? And then I would just find the weaknesses.”





