The National Indian Gaming Association announced that it has formed a task force to deal with cyber attacks, just as reports surfaced that two more tribal casinos have been hit by criminal hackers.
The National Indian Gaming Commission, meanwhile, confirmed Tuesday during a session at the Global Gaming Expo that two more tribal casinos had their data hacked. The Commission’s cyber expert wouldn’t name the casinos, but according to local news accounts, the Ho-Chunk Nation in Wisconsin and Tesuque Casino in New Mexico suffered the cyber attacks. The Ho-Chunk was shuttered for four days in August.
The NIGA task force will meet later this month to “go on offense” to deal with the ongoing problem, Commission Chairman Ernie Stevens, Jr., told CDC Gaming on Tuesday. Stevens attended the session at G2E where the hacks were discussed.
“It’s a concern all over this world,” Stevens said. “Indian country has to deal with those types of targets. Since our trade show in July, we’ve developed a cyber security task force and we have training going on this month. We take this very seriously. We’re just going to jump in and do our best to combat the issue.”
Stevens said where there’s money and information, cyber attackers will come at you. It’s not just a tribal-casino issue, but one that affects the whole of tribal government.
Stevens is reluctant to talk too much about the hacking problems; being on the defensive, he doesn’t want to give away too much information to hackers.
“But I would like to be on the offense, prepared for this and to protect our territory,” Stevens said. “Indian country is used to defending territory. We’ve had years of these types of issues where we have to adapt. We have the expertise and knowledge and capable folks. Not only will we protect our own, but we’ll also help others around us. We’re not looking for trouble, but we are looking to protect.”
The problem with cyber hacks at tribal casinos became a national issue over the summer, when the NIGC said cyber attacks have jumped 1,000% since the end of 2019 and urged operators to protect their data and customers’ personal information from being captured by hackers.
The issue came to a head in June when six Oklahoma tribal casinos were subject to ransomware demands and had to close temporarily.
Compared to only one cyber attack in 2019, there were 12 incidents in 2020 and the first half of 2021. The number might be higher; tribes aren’t required to report the incidents to the Commission, something the Commission plans to change in the future.
“They’re the normal ransomware hits,” Tim Cotton, IT Audit Manager with the NIGC, told CDC Gaming. “They’re still ongoing. One happened Aug. 25th and the other happened Sept. 25th. My team is working with the tribes through those processes.”
Tribes have the option to pay to get their data back, but there are no guarantees hackers will return it, Cotton said.
“I don’t see an ending,” Cotton said of the hacking problem. “If there’s an opportunity for an attack on a group, attackers will (take it). It’s just a matter if the attackers can find a way in. A lot of times, they’ll get in and sit for 30 to 40 days before they do anything, because they’re gathering data. It’s incumbent on the tribes to make sure they have good procedures; hardened infrastructure can help thwart these types of attacks.”
Cotton said tribes are taking more steps since the problems have surfaced, and they’re asking the NIGC more questions and doing system audits to find weaknesses. More tribes are also seeking cyber insurance, he said.
A representative from Cotton’s team will be serving on the new cyber task force set up by NIGA that will meet in two weeks.
“What NIGA is trying to do with this panel is to help the tribes have more prevention tools in place. It’s very important, because it’s getting the information out there. We’re on the same mission,” Cotton said.
Tribes have been hit with demands as high as $1 million, but many are several hundred thousand dollars. Casinos and the revenue they generate are more vulnerable to having tribal data and customers’ personal information hacked. Many don’t have the staffing resources or expensive fixes in place to prevent hacks.
Mike Day, founder and CEO of TribalHub, which brings tribes and resources together and hosted a cyber security summit for tribes on Sept. 23, said they TribalHub be part of the NIGA effort.
“It seems like every other week we’re hearing about another attack, and it’s ransomware,” Day told CDC Gaming. “It’s not faring well for tribes. Let’s put it that way. They haven’t done the best job of getting prepared for this stuff.”
