Former lieutenant governor calls for Nevada Gaming Commission cyber briefing after MGM and Caesars hacks

Friday, September 22, 2023 1:49 PM
Photo:  Shutterstock
  • Buck Wargo, CDC Gaming

In light of cyberattacks on MGM Resorts International and Caesars Entertainment, former Nevada Lt. Gov. Brian Krolicki, now a Nevada Gaming Commission member, called for a briefing on the hacking incident to shed more light on what happened and how it can be prevented in the future.

Story continues below

The suggestion comes the same day the Massachusetts Gaming Commission met in executive session “to consider information related to an MGM cybersecurity issue.” It held a similar closed meeting on Monday.

After it returned to the public session on Thursday, the Commission entered into an executive session regarding security at MGM Springfield, according to the Commission agenda.

Krolicki made his comments at the end of Thursday’s five-hour meeting of the Nevada Gaming Commission. Since it was made during the public comment session, the commission could not take up the matter, but it’s likely the issue will return to the Commission and the Nevada Gaming Control Board at some point.

In the latest cyberattack that started being felt Sept. 10 and went into this week, hackers knocked slot machines out of commission and created havoc with ATMs and computer systems. MGM, which is reported by a Wall Street analyst to have lost between $4.2 million and $8.4 million a day with the hack, said its systems were operating normally across their properties nationwide as of Wednesday. Caesars reported it was hacked in late August and had customer information stolen but paid a $15 million ransom that avoided any shutdowns.

In December, the Commission approved cybersecurity regulations for the state’s gaming industry to protect operators’ information systems from attacks that could shutter casinos and compromise customer data. The rules went into effect Jan. 1. That approval came right after BetMGM reported that its customers’ personal information – including Social Security numbers – was obtained in an unauthorized manner and included information on their transactions.

In the regulations, casinos were required to do a risk assessment of their systems by the end of 2023 and take any necessary steps on an ongoing basis to ward off an attack. If any breach was successful that compromised player data, credit card information and other records, including that of employees, properties would be required to report it to gaming regulators within 72 hours.

“It would be important and enlightening given the recent events of the past week regarding cyber security and ransomware in particular at MGM and our friends at Caesars and look at how it impacts our world and regulatory responsibilities,” Krolicki said, later adding,  “I think at some point in time when there’s the energy and understanding of what just happened if we could get some kind of briefing of what transpired that’s appropriate for public record and perhaps policies going forward of how do we avoid these things and if they do happen whether the reporting schemes on whether it was immediately reported to the Gaming Control Board. There are a lot of questions and a lot of publicity. It’s a global story, and I just think it would behoove all of us to get a good handle on what just happened.”

The Nevada Gaming Control Board released a statement on Sept. 13 saying Gov. Joe Lombardo and the board “are monitoring the cybersecurity incident with MGM Resorts and are in communication with company executives. Additionally, the Nevada Gaming Control Board remains in communication with other law enforcement agencies.”

Casino consultant Brendan Bussmann, managing partner of B Global, which tracks gaming boards and commissions, said the Massachusetts hearing won’t be the last and expects states across the country to hold similar sessions wanting to hear from MGM executives.

“Nevada is the second regulator that I know has raised their hand on this after Massachusetts,” Bussmann said. “It should be about what happened and how it happened, which should be considered confidential information. This is going to be a question that every regulator for both commercial gaming and tribal gaming is going to be concerned about. Since we’re still trying to figure out what happened, then we can see what tools we need as an industry to beef up our efforts on cyber-related events.”

While everyone is focused today on MGM and Caesars, this is not the first cyber attack, Bussmann said.

“This can go back to the Las Vegas Sands attacks in 2014 from the Iranians and any other data breaches that happened between then and now,” Bussmann said. “I would expect every state at a minimum has MGM and Caesars in it to at least say what happened and what can we do regulatory to help this and what can we do with testing and what can we do IT and host of things.”

Bussmann said the regulators can’t be reactionary but instead should get evidence on how it happened and use the best resources outside of the casino industry, such as security firms, to do it right.

“There’s no one better suited to regulate Nevada on this issue than the Gaming Control Board in working with law enforcement partners across the country,” Bussmann said.