As the Nevada Gaming Commission prepares to vote on new cyber regulations on Dec. 22, security experts Friday said that data breaches and cyberattacks will become worse for casinos as hackers become more sophisticated.
During a discussion at the National Council of Legislators from Gaming States conference, the panelists warned that casinos and other industries should prepare for more attacks on their platforms.
Just in the past two years, cyberattacks have shuttered casinos in California, New Mexico, Arizona, Oklahoma, and Wisconsin and prompted the FBI Cyber Division in November 2021 to issue a warning, citing ransomware attacks against tribal entities that have caused damages estimated to be in the millions of dollars. The attacks caused disruptions, including temporarily shutting down casinos and the theft of sensitive data like credit cards, resulting in significant financial losses.
In recent weeks, DraftKings reported hackers were accessing customer accounts and about $300,000 in funds were affected. BetMGM admitted that scammers were accessing bank funds from its poker players.
“The current trends in cyber security (denial-of-service attacks) have gone up 400% in the last year and (other attacks) have gone up 300% in the last year and a half,” said Michael Tobin, CEO and founder of Continent 8 Technologies. “A huge amount of hacktivists out there are targeting people. It’s only going to get worse, as artificial-intelligence techniques are developed using supercomputers. There will always be bad guys and you have to be one step ahead of them.”
Without naming the company, Tobin mentioned a gaming customer with a sports betting platform that was under attack for five days in October by hackers harnessed from around the world. The customer, from a well-known brand, said, “We can’t handle this and please defend us.” Tobin added, “Our technical team thinks it was one of the largest attacks, not just on internet gaming, but globally in 2022. But we were able to handle it.”
Tobin said they got involved in negotiating the ransom demands and urged the client not to pay. The attackers belonged to a Russian-based group and the attacks involved 750 incidents with multiple U.S. states targeted.
“Trust me,” Tobin said. “I was biting my fingernails. I claim to be good, but you never know when someone beats you in some way. You need to constantly upgrade your skills.”
Tobin said regulators, policy makers, and practitioners need to work together to deal with this problem. Even the largest gaming operations aren’t cyber-security companies.
“Even some of the largest gaming companies don’t have people with the skills to defend them. The processes that you need to put in place to monitor are extremely critical and the technology is always changing and needs to be a constant focus for all of us.”
Michael Morton, senior policy counsel for the Administration Division of the Nevada Gaming Control Board, told conference attendees about the cyberattacks faced in Las Vegas over the years, some of which was the most detailed information that’s been released to the public.
For the first time, regulators confirmed that in late February and early March 2020, the Four Queens and Binion’s in downtown Las Vegas were the victims of a cyberattack. The casinos had slot machines out of service for days and computers shut down as well.
“The two downtown casinos went black for five or six days,” Morton said. “An apparent computer outage affected the slot machines and other technology systems on the casino floor. It shut down the casinos’ websites and affected hotel check-in procedures to the point where guests had to pay cash to get into their rooms, because none of the computer systems was working.”
The most recent attack took place in January 2021 at the Dotty’s chain in Las Vegas. The company’s internal investigation showed a malware attack impacted employee and customer information.
Morton cited the attack against MGM Resorts International in 2019 that targeted a cloud server hosting personal information of hotel guests. Some 10.6 million records were stolen; 1,300 people had information compromised, such as driver’s license and passport numbers, Morton said.
MGM hired a firm for best practices to ensure such an attack didn’t happen again, Morton said.
The most recognized attack occurred when the nation of Iran targeted Las Vegas Sands with malware and shut down three-quarters of the company’s servers in Las Vegas, costing the company about $40 million in remedial measures and restoring its computer system, Morton said.
Morton also pointed out nationwide issues with DraftKings that started in November 2021 and are ongoing, with increased attempts at the unauthorized withdrawal of funds from customer accounts. Customers’ passwords were found on internet sites and the FBI is investigating how the breach occurred.
“What can regulators and legislators do to help prevent these attacks from happening?” Morton asked the audience.
Nevada gaming regulators have proposed cybersecurity requirements to protect operators’ information systems from attack. They’ll be considered at the Nevada Gaming Commission meeting on Dec. 22. The Nevada Gaming Control Board has already recommended them.
Nevada’s casinos would be required to do a risk assessment of their systems in 2023 and take any necessary steps to ward off an attack. If any breach compromised player data, credit-card information, and other records, including that of employees, properties would be required to report it to gaming regulators within 72 hours.
The proposed regulations require that an internal auditor or other independent entity with cybersecurity expertise perform and document observations, examinations, and inquiries of employees to verify cybersecurity best practices and procedures. They also require an independent accountant or some other entity to perform an independent review of best practices and procedures and attest to those in writing.
The proposed regulations would go into effect on Jan. 1.
There’s been some opposition from the casino industry that proposals are onerous and especially expensive for single-property operators.