A panel of cybersecurity experts said the gaming industry is increasingly vulnerable as a growing number of less sophisticated hackers can inflict damage and extort money from casino operators.
During the annual Gaming Law Conference of the State Bar of Nevada, hosted Friday at Palms Casino Resort Las Vegas, Scott Scherer, a partner with Brownstein Hyatt Farber Schreck, asked the panel whether the gaming industry is different from others when it comes to threat landscape, preparedness, and incident response from cyberattacks.
“It’s a sexy industry that draws more attention from threat actors, the government, and press,” said Nancy Ramirez Ayala, senior vice president, general counsel, and compliance officer with Ainsworth Game Technology. “Operators collect a lot of sensitive personal information for KYC purposes and financing reporting—names and credit cards, but also Social Security numbers and biometric data. That information is much more valuable for threat actors to gather to extort gaming companies.”
Erik Gaston, chief information officer and vice president of Global Executive Engagement with Tanium, said he deals a lot with regulated industries that include banking and financial services and there are a lot of similarities when it comes to the gaming industry and its growth.
“Most industries grow at the edge. Think about how (the casino industry) is growing with online gaming,” Gaston said. “Most people’s identities are there and we’ve crossed a threshold as an industry very similar in ways to banking. The industry needs to recognize that more regulation is coming, similar to financial. Right now, it’s time to take a different look on how to approach your cyber.”
In September 2023, cyberattacks temporarily crippled MGM Resorts, with casinos, ATMs, hotel rooms, and other operations interrupted for more than a week after the company declined to pay a ransom. Caesars Entertainment, which had customer data stolen, did pay $15 million to avoid the same fate.
Jack Hobaugh Jr., an attorney at Brownstein, Hyatt Farber Schreck, said he gets emails on a daily basis on new litigation prompted by cyberattacks, because when breaches and compromised personal data inevitably lead to class-action lawsuits.
“Plaintiffs are being very aggressive right now in this area. Some of these complaints you can laugh at. But in the end, they’re not laughable, because they cost a lot of money. I see this trend continuing and growing and don’t know where we’re going to end up on it.” Hobaugh said, “I’ll close with a provocative statement: No one is protected.”
Gaston said there’s more vulnerability as the hackers evolve. “You’re entering a new world. The attackers are different. Rather than nation states, attackers are now independent gangs. Ransomware is nice, but they want to set up a recurring revenue business. Now, you’re dealing with multiple and more sophisticated attacks with generative AI and the use of deep fakes. There are so many different ways to catch somebody off guard.”
Ayala also sees cyberattacks increasing, with hackers taking and encrypting data and shutting down systems. The hackers have better plans on how to extract the most value.
Hackers used to be programmers who built the software to launch attacks, but now they can go out and get ransomware as a service, Hobaugh said.
“They don’t have to be that smart,” Hobaugh said. “The business model has changed. The people writing the code aren’t as interested in being the hackers. They’re interested in selling their services. It’s a better and more sophisticated business model for them. They’re criminal business people trying to get your data and now with AI, it’s getting tougher to spot this stuff.”
“I’ve been to the spaces where they collaborate,” Gaston said, “and their quotes are, ‘This is the best recurring business model I’ve ever had. I’ll own my own island in a few months.’ They really look at it like it’s a legitimate business.
“The biggest shift we’re seeing is from ransomware to extortion, a recurring model that follows the money. That model is very real and unfortunately, every company has to understand whether they’re confident enough to call the bluff. It’s a very different game.”
As for how they can reduce risk, Ayala called for gaming companies to do incident-response planning and table-top exercises. Plan, be ready, and test the systems and people’s knowledge over and over again, because attacks are going to happen.
“The landscape has changed and you need to take a preventive posture,” Gaston said. “We’re literally fighting a guerilla war here. It’s all the stuff out on the edge, an environment that’s no longer contained and because of that, you can no longer ask, am I protected? Is the wall high enough? Is the machine tuned properly? That doesn’t matter anymore. That’s kids play for professionals. Rather, you need to ask yourself, What do I look like to the attacker? What does my business look like from the outside? If I’m out on the edge, how many windows and doors are there and how many things are left open? It’s not what I looked like to an attacker a week ago, but right now. If you can’t answer that question, you’re very vulnerable at this point.”
