720-891-1663

Two Major Hotel Chains Hit by Cyberattacks – Two Different Outcomes

Caesars Entertainment, which calls itself the U.S.’s largest casino chain, sort of says it paid a ransom to avoid the online leak of customer data stolen in a recent cyberattack.

The attack compromised the chain’s loyalty database, which, according to them, includes driver’s license numbers and social security numbers of many customers.

Caesar’s 8-K filed with the SEC suggests that Caesars paid a ransom in the $15 to $30 million range.

In theory, the idea behind paying the ransom is to get the hackers to delete the data, but since they are crooks, possibly tied to a non-friendly government, they likely took the money and are still going to sell the data.

Caesars said that they have taken steps to ensure that the stolen data is deleted, but we have no idea whether they will or not.

The group that is thought to be behind the attack is called Scattered Spider or UNC3944 or Roasted Oktapus.

The attacks are financially motivated and use a combination of MFA fatigue, social engineering and SMS credential stuffing – in other words, really low tech but easy to execute attacks. Credit: Bleeping Computer

On the other side of town, the MGM entertainment chain was also it by a cyber attack at roughly the same time. The 8-K that they filed with the SEC was basically devoid of any information, but it appears that they did not pay a ransom because customers are complaining that they cannot get into their rooms, can’t use their credit cards, many of the machines in the casinos are dark, etc.

MGM runs 30 hotels and casinos, so this outage is probably pretty expensive. At this point, reports are that their web site is still down. Credit: Dark Reading

Both companies, because they are publicly traded, are required to file a notice with the SEC within four days of deciding the breach was material. Lawyers hate this because it doesn’t give them much time to spin the narrative. Credit: Dark Reading

MGM’s revenue last year was around $4 billion; Caesars’ revenue was around $11 billion. This has nothing to do with the amount of money that flows through their casinos, which is probably 10 to 100 times that much.

It does not take a rocket scientist to figure out that given the amount of money that these organizations move, if a hacker could get a small slice of that – maybe a tiny fraction of one percent, they would be set for life.

They are not disclosing what information, besides the loyalty database was stolen.

One tends to assume (or hope) that big companies like this that have large buckets of cash have good cybersecurity, but that is far from a given. As this unwinds, we will learn more, but likely the source of these two attacks was a simple social engineering con; possibly of a vendor to the casinos – possibly the same vendor for both casinos.

One report says the hackers behind this are in their teens or early twenties and in the U.S. and U.K. If true, it is likely they will be caught.

We will probably see how good their security practices are.

Stay tuned for more details.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *