Cyberattacks at tribal casinos across the country have jumped 1,000% since 2019 and the National Indian Gaming Commission is urging operators to take precautions to protect their data and customers personal information from being captured by hackers.
Six Oklahoma tribal casinos were subject to ransomware demands in June and closed temporarily. Last fall, the Cache Creek Casino Resort in northern California was closed for three weeks following a cyberattack.
Tim Cotton, IT Audit Manager with the NIGC, told CDC Gaming that there was only one cyberattack on a tribal casino in 2019, but a lot has changed since January 2020, with 12 incidents reported to the Commission since then. The exact number is unknown; tribes aren’t required to report the cyberattacks to the Commission. But that could change, according to Commission Chairman E. Sequoyah Simermeyer, who appeared with Cotton and Chief of Staff Dustin Thomas during a panel discussion on cyberattacks at the NIGA Tradeshow & Conference on Wednesday.
“The numbers have shot up in Indian Country and those incidents end up as ransomware, because everyone is looking for money,” Cotton told the audience. “Indian gaming is ripe for this type of activity, because no one has really been paying attention. Everyone has been looking at every other industry. But these (gaming revenue reports) go out every year, so somebody’s watching.”
Cotton said demands are usually a few hundred thousand dollars, but he’s seen some in excess of $1 million in Indian Country. In some cases, tribes have paid ransoms to get their data back, then retrieved only a piece of it. Then, two to three weeks later, they’re hit again, he said.
“I know of one tribe that paid a couple of times, but never really received all of their information,” Cotton said.
Hackers are looking for a hole in the system and any opportunity to exploit and now, according to Cotton, it’s gone a step further. If the hackers can’t get money out of the attack itself, what happens next is an exploitation or extortion of that data. They tell the victim that they’ll sell whatever proprietary information they’ve seized.
Cotton said that more people today have remote access to systems than before, which provides an opportunity for “the threat actors to get involved and lie in wait to attack the system. What we’ve found in looking at a lot of systems that have been attacked is poor policies and procedures, plus maybe the system was being upgraded. It’s important to have proper procedures in place, and backed-up data, because they’re going to continue to hit Indian Country.”
Thomas told the audience the NIGC took the problem seriously even before the pandemic, but earlier this month went through ransomware training that’s now available to tribes.
“It’s a new threat, evolving across our industry, but it’s not exclusive to Indian gaming,” Thomas said, citing the recent ransomware attack on a gasoline pipeline by Russian hackers. “All kinds of cyber threats are going on in the world today. Indian gaming isn’t immune, but we’re not talking about millions of dollars in ransom. It may be a couple hundred thousand, which is more likely to be paid. We have incidents where it’s been negotiated down to ten or twenty thousand dollars. In some cases, nothing was paid. There’s been a mixed approach. The FBI recommends not paying the ransom, but there’s a lot for most victims to consider.”
Tribal casinos are encouraged to work with the Commission on test audits to find weaknesses in their systems. That, in turn, leads to a more intensive examination that could address what needs to be fixed, including infrastructure, software, other technology, staffing, and even training. Thomas said those tribes that don’t have a plan in place face the more serious consequences.
“Suddenly, everything is locked down and they wonder what they should do,” Thomas said. “It’s a situation where they don’t know who to call. The biggest point should be not planning for if, but when.”
More tribes are even obtaining cyber insurance to protect themselves, but policies may not be paid out if tribes didn’t take the proper protocols to avoid the hack, Cotton said.
Thomas said casinos need to be prepared and have someone designated to negotiate with the hackers.
NIGC Chief Information Officer Jun Kim said protecting against cyberattacks comes down to risk management and that not every tribe has the resources for technology and staffing and the procedures in place to try and prevent hacks.
“A shortage of resources is common in the industry and a typical problem we all have,” Kim said. “There are malicious actors out there and they’re always on the lookout for easy vulnerabilities and to take advantage of those opportunities. Continue to work on that playbook to ensure you have a cyber security plan to maintain operators and be prepared for an attack.”
Cotton said that when there have been attacks in Indian Country, the NIGC has provided information and guidance to tribes across the country to help those who haven’t been attacked.
Many tribes don’t report because they don’t want to put any information out there that they’ve been attacked, officials said.
“We get that,” Cotton said. “It’s a sensitive matter, but we want to ensure that on the flip side, you’re being taken care of. Because we’ve had some many tribal partners attacked, we’ve put together a document that helps you walk through that process.”
Thomas said while he understands that some tribes have difficulty funding upgrades and increasing staffing to prevent hacks, it should be near the top of the priority list in addressing risks to their properties.
“It’s costly when an attack occurs,” Thomas said. “It’s pay now or pay later.”