Cyberattacks and ransomware continue to threaten tribal casinos and enterprises, sometimes with devastating consequences.
In February, an attack shut down five Kewadin casinos of the Sault Ste. Marie Tribe of Chippewa Indians. Casinos and other tribal businesses were shut down for more than two weeks.
The cyberattack exposed the severe financial, operational, and reputational risks that come with a breach and tribal nations need to fortify their defenses before they become the next target. That includes Cache Creek Casino Resort in northern California, which sustained a ransomware attack and closed for three weeks, starting in September 2020. Stephen Bailey, vice president of IT at the casino, participated in a panel discussion at the Indian Gaming Tradeshow & Convention on “Defending the Tribe: Ransomware’s Growing Threat.”
The panel discussion was moderated by Melissa Aarskaug, vice president of business development with Bulletproof, and included Oscar Schuler, chairman of the board of regulators for the Alabama-Coushatta Tribal Gaming Agency in Texas, and Tom Wojcinski, a partner with Wipfli, and Scott Melnick, vice president of gaming security with AGS.
“What we’ve seen over the years is a lot of ransomware threat actors moving to social engineering, because they’ve discovered people can be the weakest link,” Melnick said. “The most famous recent incident was at MGM Resorts (in the fall of 2023), where they went through the help desk (to gain access to the system and curtail casino operations in Las Vegas and elsewhere).”
The hackers are evolving since the federal government said it’s illegal to pay ransomware and now moving to extortion, where not only are they encrypting data, but stealing it as well, Melnick said.
“If you don’t want to pay, no problem,” Melnick said. “They will publish it, exposing your tribe’s personal information and everything you have. They keep evolving as we evolve. It’s a cat-and-mouse game.”
Bailey detailed the ransomware attack against Cache Creek and the suffering the organization went through.
One way to deal with an attack is to have an incident response plan on how to handle it, Bailey said. Systems will be offline and there needs to be a switch to doing things manually. The IT and security teams need to contain the situation and “limit the blast radius.” That means having retainers with companies and calling for help with the response, forensics, and containment.
“The more you have planned out in advance, the easier it will be for your organization to get through a very difficult time,” Bailey said.
Aarskaug said it sounds so basic to have a plan, but few tribes do so and when something happens, it takes weeks to get organized.
“Our organization didn’t have a plan and we were down for three weeks,” Bailey said. “Imagine the amount of money the organization lost and the reputational impact. You’ll do a much better job if you plan in advance.”
All tribes now do security awareness and training and Bailey said they’re doing social-engineering testing. Within the first day, employees were giving out their usernames and passwords to testers who impersonated the IT help desk.
“I can’t emphasize enough that training your employees and making sure they understand the risks are the basics,” Bailey said. “I personally believe people are the biggest risk in any organization. You can have layers of security in place, but how do you defend against somebody picking up the phone and giving out their credentials?”
To Melnick, how tribes respond to an attack is just as important as securing a network. Tribes that haven’t been hacked need to treat it as if it’s going to happen at some point. He added he’s done tests where one day everything is fine and the next day a new vulnerability emerges.
“They’re not really looking for tribal resources, but low-hanging fruit, unless it’s a targeted attack like MGM was or most social-engineering ones,” Melnick said. “Hackers aren’t really educated on their targets. They look for anyone, but what I’ve seen with ransomware in tribal casinos is they assume they’re flowing with millions of dollars. They don’t understand the community and where that money goes. They think they’re loaded like MGM. They don’t really care either.”
Melnick said while tribes have limited resources to address cybersecurity, they should invest in training, which can be done online. That would help make a difference.
