The chairman of the Nevada Gaming Control Board Wednesday urged casino operators to remain vigilant after one of the largest ransomware sprees in history, along with cyberattacks on Oklahoma casinos in June. Last week’s attack carried out by Russian hackers, according to cyber experts, impacted hundreds of American companies and more than 1,000 companies worldwide.
No Nevada casinos were victims of the latest hack, but they have been repeatedly attacked in the past. In June, six Oklahoma tribal casinos were hit by a ransomware attack and were temporarily closed. In February and March 2020, the Four Queens and Binions in downtown Las Vegas had slot machines out of service for days and computers down in what was reported as a suspected cyberattack.
“We have been talking about cyber security with applicants and licensees on a regular basis, and ransomware is a big deal,” said Commission Chairman J. Brin Gibson. “With these cash-heavy businesses, it’s going to be a big deal going forward and a major challenge.”
The issue came up Wednesday during the board’s monthly meeting when it recommended John Robert Bollen, chief information officer for The Cosmopolitan, be licensed as a key employee.
“Cyber is on our mind all the time,” Bollen told the board. “Patching is a big deal with all the ransomware going on. That has to happen monthly. Certain systems and applications aren’t wholly modern architecture, so we have to be careful how we do those, as not to distress revenue or operations.”
Bollen said they just completed a major information-technology upgrade to deal with versions of old databases that had “vulnerabilities and cyber concerns.” The Cosmopolitan modernized its lodging, food and beverage, retail, and gaming systems, he added.
Bollen told the board they’re continuing to add to their cyber security staff, but it’s difficult to fill positions. He said they even re-encrypted a credit-card key early Wednesday morning as part of protecting the system.
“One thing that keeps me up at night is cyber security,” Bollen said. “There are a lot of open barn doors that we have to close to keep the company safe from cyber attacks and malware. A lot of times, those in operations don’t quite understand why we’re patching or scanning or doing things at four in the morning to reboot after they’ve been patched. They look at it as an inconvenience, but it’s something we needed to do to maintain the integrity of the operation.”
Bollen, who joined The Cosmopolitan in June 2020, said they’re fortunate to be a portfolio company of Blackstone, a New York-based investment firm. He said they have a strong relationship with Blackstone’s cyber-security and information-technology teams and receive a lot of notifications about vulnerabilities and potential issues, along with action plans to address them.
“I feel like we’re at a really good spot with cyber security at this point in time,” Bollen said.
Cyber security experts have long warned the casino industry about the threat of having their data hacked, which would include credit-card and other personal information of customers.
In 2014, hackers, later determined to be Iranians, targeted Las Vegas Sands and stole credit-card data, Social Security numbers, and driver’s license numbers of customers. Hard drives were also wiped and the website defaced.
In 2013, Affinity Gaming reported its credit-card system was breached in 12 casinos in four states. In 2015 and 2016, the Hard Rock reported data breaches that targeted credit cards. In 2017, there was a report of an unnamed North American casino targeted by hackers through a fish-tank thermostat. And last fall, the Cache Creek Casino Resort in northern California was closed for three weeks following a cyberattack.
Willy Allison, founder of the World Game Protection Conference in Las Vegas, said there have been more than a dozen casino cyberattacks across the country in the past year-plus.
“The past year has been, by far, the biggest threat in regards to casinos,” Allison said. “And the only time we hear about it is when they have to shut down. Nobody wants to talk about their customers’ information being compromised.”
Allison said that while it’s a problem that impacts every industry, not enough cyber-security resources are put into casinos, which tend to take “a reactive approach.” Larger casinos have the resources to deal with it, but the smaller casinos and tribal gaming are being targeted the most, he said.
“People view it like an asteroid attack, with the chances of them being hit by one being pretty low, when actually it’s not an asteroid attack, but happening every day,” Allison said. “They better take it seriously, because there are only two things I know that have shut down casinos in my career for weeks — the pandemic and a cyberattack. They’re both viruses.”
