Cyberattacks that limited operations at MGM Resorts International properties across the country and compromised Caesars Entertainment customer data have served as a warning to tribal operators as they gather this week in San Diego for a technology conference.
The TribalNet Conference & Tradeshow, the largest community of technology-minded professionals from tribes across the U.S., kicks off Monday and runs through Thursday with more than 600 attendees and 160 exhibitors, including companies showcasing cybersecurity software and services.
Cybersecurity has taken an increased spotlight in the conference over the last couple of years as tribal casinos have been attacked. This year, nine separate breakout sessions focus on it, compared to six a year ago at the conference in Reno.
TribalHub, which puts on the TribalNet conference, hosted its third annual cybersecurity summit earlier this year.
After a sharp increase in successful cyberattacks in 2021 that shuttered tribal casinos, reduced revenue, and prompted ransomware payouts, tribal operators have invested more in technology and taken other steps to ward off these crippling events.
Up until recently, tribal casinos were bigger targets than commercial properties, which invested more in security after several high-profile ransomware attacks against some of the bigger operations over the last decade.
The global attention this past week has switched to the commercial side. After a cyberattack on September 10, MGM Resorts properties have been gradually overcoming issues with slot machines and ATMs out of commission, computer problems leading to long lines for check-in, loyalty programs down, and other systems compromised. Russian hackers are believed to be responsible, with reports that they’re demanding a ransom.
Caesars avoided those problems when, reportedly, it paid off hackers after they infiltrated the company’s computer systems in late August, accessing Social Security numbers and driver’s licenses.
“Everybody working in gaming and hospitality is watching this and is concerned about it,” said TribalHub CEO Mike Day. “Part of why we created Tribal-ISAC (Tribal Information Sharing and Analysis Center) that helps warn, inform, educate, and prevent or mitigate cyberattacks for Native American tribes and all of their enterprises was so we could share information as quickly as possible. When something happens in gaming or hospitality or to a tribe and has been successful, the likelihood of it happening to a similar organization goes up astronomically.”
Day said tribes are worried and the faster they can share information about what happened and how everyone can remediate or protect themselves, “the better off we all are.”
When it comes to corporations, however, there’s a cone of silence, and Day said they’ve reached out to MGM officials to offer tribal ISAC support if needed.
“We have a common enemy — anybody threatening this industry,” Day said. “One of the largest security forces in gaming and hospitality just got shut down. It’s a tough battle.”
The attacks on tribal casinos occur daily, but the question is whether they’re successful, Day said. Only when they are does it makes the news and Day said nothing has happened recently to tribal casinos like what did with MGM and Caesars.
“Everyday people are remediating phishing attacks and things they’re able to isolate to a smaller area of their network in tribes across the country,” Day said.
The size of the MGM footprint in Las Vegas and across the country appears to have made a difference. “If you’re protecting a small property, that’s one thing, but as you expand, your attack vectors increase astronomically.”
Justin Raisor, a sales manager with Vectra AI, a San Jose-based cybersecurity company, said the industry will be talking at the San Diego conference about how large entities fall into “technical debt.” The systems commercial casinos have been using for decades are critical to the operation, but they have to make sacrifices to security to keep them running because of the cost.
“You’re stuck with trying to take a less-than-ideal approach to protecting these technical-debt systems in casinos,” Raisor said. “Cybersecurity isn’t just a product or a solution. It’s a methodology and framework you adopt and put into your environment in pieces. An organization can have the best tools in the world, but if they operate in different silos and different teams are responsible for looking at them, that’s a blind spot. These attacks will continue be fruitful for the bad actors until more understanding of the blind spots around technical debt and more orchestration is incorporated into these security postures.”
Raisor said they may never know the full story of what happened to MGM, but since gaming operations were coming back online that led him to believe that maybe a ransom was paid to bring services back online. He said his contacts in Las Vegas believe $30 million was paid by Caesars as part of its ransomware. Other reports suggested $15 million.
“We see a lot of these attacks come from foreign states like North Korea, China, and Russia,” Raisor said.
John Iannarelli, who served on the Cyber Division executive staff at the FBI and was a former assistant special agent in charge of overseeing cyber investigations, said casinos across the country have staff on high alert and checking out their networks for any suspicious activity.
Iannarelli said the people doing these hacks are looking for financial gain, whether cash payments or data like credit-card information.
“This is big business in other countries, but it doesn’t mean it’s conducted by a country,” Iannarelli said. “Countries like China or Russia know that by messing with the economy, it hurts the country as well. Sometimes it’s done with a wink and nod where the country doesn’t care what the hackers are doing. Cyber crime is the issue for casinos. That’s where you’re going to lose your money these days. Casinos need to take that to heart and make sure they have protections in place.”
Day said a lot of possibilities could have prompted the MGM hack. With all of their sites, employees, and third-party vendors, a rogue criminal could be the blame, or someone who was lax for one minute of one day, or a nation state working against the company.
“It could be lots of big things or lots of simple things. Even the smallest things could immediately create this if they were done by the wrong person or an insider with the right access. All of those things have happened in the past. It’s really hard to protect yourself against everything.”
Raisor credits tribes for sharing information with one another, unlike corporate gaming companies, for heading off attacks against their properties and organizations. One tribal customer has seen a 300% increase in attacks on their casino over the last two years, he said.
“The fact that the tribal casinos are constantly attacked shows that maybe they’re doing a better job of communicating these threats as they emerge,” Raisor said. “The conference is a focal point for the tribes to get together and talk about these types of challenges and how they all need to be on the lookout for it and what to do.”
Day said the attack will get the attention of tribal leaders, who will better understand that it takes investment in cybersecurity measures to protect their organizations, ranging from casinos to healthcare.
“There will be buzz about it and certainly more discussion. You can win two million games in a row and no one says thank you, but one blip from something nefarious or impossible to catch and suddenly you’re worthless in one day.”