Former spy: Casinos face threats from inside and out

March 8, 2023 9:12 PM
Photo: Shutterstock
  • Buck Wargo, CDC Gaming Reports
March 8, 2023 9:12 PM

A former U.S. military spy told casino-surveillance executives that the threats and vulnerabilities they face will only burgeon as the industry is projected to grow by $12 billion over the next few years.

Story continues below

Vaillance Group CEO Shawnee Delaney, a former clandestine officer with the Defense Intelligence Agency who conducted human-intelligence operations in Iraq and Afghanistan, spoke Wednesday during the World Game Protection Conference at the Tropicana Las Vegas.

“You might be wondering what a former spy is doing here today and what espionage has to do with security and cybersecurity,” Delaney said. “A lot. Spies, social engineers, and other malicious actors all use the exact same techniques to get access to you and your people, systems, and network.”

Delaney noted some vulnerabilities that are unique to the casino industry. For one, casinos rely on third parties for services and a lot of money is made by hackers accessing casinos via third-party systems.

Some 51% of companies in the gambling industry, a number Delaney said may be low, believe they’ve suffered a data breach caused by a third party. Hackers have many opportunities to get into a casino network and access data, she said.

“Third-party threats are the most often overlooked,” Delaney said. “Can you control who they’re hiring and if they’ve gone through training? You have no control over these third parties and this is something you’re going to have to assess.”

Another concern is how casinos use internet connections for wearable devices, cameras, motion detectors, consumption-tracking technology, trackable casino chips, and cell phones for checking in and out of hotels. Delaney related that one casino was hacked via its fish tank.

“You’d never think that a thermometer for a fish tank that’s connected to the internet would be exploitable,” Delaney said. “Hackers got in, disrupted the network, took everything, and pulled it up into the cloud. Integrity, confidentiality, availability — all gone.”

Online gaming, which continues to emerge, is heavily targeted by hackers trying to take over accounts. They hack into customer accounts and steal banking details and other personal data.

The casino investigation and triage are not only costly, but media blowback damages the casino’s reputation, because customers expect their data to be protected.

For example, Delaney cited cases from a decade ago when the Las Vegas Sands and Hard Rock Hotel & Casino were hacked; between the two, they lost more than $1 billion on its gaming websites and operational networks. The Sands hackers, tied to the government of Iran, obtained earnings, staff, and customer information and “keys to the kingdom.”

In 2014, the Venetian and Palazzo, which were owned by the Sands, lost $40 million when websites were hacked and taken down, and personal information of staff and high-profile customers was taken.

Delaney also recounted the hack of BetMGM and DraftKings late last year; more than two million accounts were offered to be sold on the dark web.

It’s not just outsiders. Insider threats include fraud, sabotage, espionage, and theft of intellectual property and trade secrets. Workplace violence is also a problem that people don’t think about.

Some employees are duped and/or manipulated to reveal credentials to hackers, which costs companies the most per incident, three times more than negligent insiders.

When the pandemic started, Delaney said they saw a “significant rise” in insider fraud and theft of intellectual property. It’s the most prevalent insider threat.

“People, I think, were hedging their bets,” Delaney said. “There were a lot of job losses and a ton of layoffs, especially in the tech sector. People were really worried about how they were going to provide for their families. So they pocketed stuff, either money or technology.”

Fraud is the only category in which slightly more women than men commit it, Delaney said. It’s usually committed by lower-level staff and people who aren’t highly sophisticated and committed during business hours.
Motivations include low-paying jobs, a lack of job satisfaction and loyalty, debt, addiction, revenge, and a hostile work environment.

IT sabotage is a threat from those with technical positions and privileged access. Most is done after business hours and about 75% cause business disruption. These employees are motivated by financial gain, politics, addiction, revenue, and power. It’s similar to corporate espionage, which costs businesses $400 billion to $600 billion in theft of intellectual property. Most insiders who are caught for espionage are male, either engineers or scientists.

Malicious insiders who are intentionally trying to harm the company or someone in it are the smallest percentage of cases at less than 10%, Delaney said.

Delaney urged casinos to develop a robust insider-threat program, conduct threat-vulnerability assessments, and create enterprise-wide training and awareness.

“Build awareness campaigns, have training, do Hollywood videos, and do microlearning,” Delaney said. “Do whatever you have to do. There’s a return on investment. You don’t want to wait until there’s a horrible fish-tank incident.”