The expansion of U.S. sports betting and the use of mobile and Internet wagering increases the opportunity for hackers to steal data from casinos and compromise customers’ privacy, especially during the Super Bowl and other major events.
Jeffrey Greene, a partner with Greenberg Traurig in Boston, an expert on cybersecurity and data protection, said Friday, “When you have increased growth, you have increased risk profile,” referring to legal sports betting now taking place in 14 states.
Greene, speaking Friday at a UNLV William S. Boyd School of Law conference dealing with the impact technology has on the gaming industry, said “online gambling is a new data point.”
Greene added that, “if someone asks me how do we reduce risks. I say reduce endpoints. A phone and a computer are end points.”
He outlined his concerns on data breaches that could happen as sports betting grows in the U.S. At least six additional states and Washington D.C. could add the activity this year.
“I think with the expansion of online gaming and sports betting, and they are saying 11.8% growth from 2018 to 2026, and a value of $128 billion by 2026,” Greene said.
Data hacks can cost casinos and other companies tens of millions of dollars in lawsuits and settlements. Worldwide data breaches in 2019 cost companies more than $2.1 trillion.
Greene said companies need to “test hack” themselves to see how much risk they face and upgrade training, so employees don’t click on suspicious email attachments.
“I suggest with online gaming and sports betting, enhance the awareness (of hacks and data protection) during major events like the Super Bowl or NCAA Final Four,” said Greene.
He said the threat landscape for companies is increasing with more sophisticated hacks out there.
“The cost of data breaches is rising. When we keep the amount of data, we keep it’s very easy for hackers to get a lot of records very quickly,” he said.
Hospitality and retail are among the top seven targets by hackers to go along with health care, financial services, government, web, and education. Greene said any casino is going to be a target-rich environment, based not only on growth, but by adding more data such as biometrics, including facial recognition and fingerprints, that exposes the industry to greater risk.
“I look at gaming and see the retail shops and hospitality sector, restaurants and shows — anyone of these is susceptible to risk,” Greene said. “Casinos are data-driven entities. We capture a tremendous amount of information beyond the gaming information. We have all the information generated at the point of sale (including) stores, restaurants and entertainment venues.”
The risk with gaming companies industry concerns the data about their patrons in active systems. Casinos also have a large amount of data in obsolete legacy systems, which can cause a problem because no one is paying attention to those areas.
“We should be asking ourselves ‘should we be on a data diet?’” Greene said. “We need to thin out and lose some of our diet because there is so much dark data sitting on company servers that few people have any awareness off and that presents a huge risk. Casinos are data machines and gather data at an extraordinary rate, and the more data we have the more we have to protect. I advocate for using data for as long as you need it but once you don’t need it anymore, get rid of it.”
Greene said there’s four different groups of hackers that are creating havoc from criminals looking to profit, company insiders who have personal motives, ‘hacktivists’ trying to make a political statement, and countries that are trying to do harm and make a statement as well.
In 2014, Las Vegas Sands Corp. was the target of a hack that stole credit card data, Social Security numbers, and driver’s license numbers of customers. Hard drives were also wiped out, and the company’s corporate website was defaced.
Federal authorities determined hackers from Iran were responsible.
Hard Rock Enterprises’ casinos were victims of three hacks 2015 to 2017, which primarily targeted credit card numbers. Greene added a report surfaced in 2017 of an unnamed casino in North America that was targeted by hackers through a fish tank thermostat. The breech resulted in millions of dollars in lawsuits.
“It is not only the cost of the breach but the reputational harm,” Greene said. “The reputational risk out there is significant. The companies with incident response teams that did significant testing of their systems and were as prepared as they could have been saved about $1.2 million per breach. That goes to being prepared at the end of the day. It doesn’t prevent a breach from occurring, but it helps significantly.”