Caesars hit by cyberattack as loyalty programme data is compromised
It has now been confirmed that the breach – attributed to a social engineering attack on an outsourced IT support vendor – allowed hackers to access the operator’s loyalty programme database, which included sensitive personal data such as driver licence and social security numbers.
Caesars immediately activated its incident response protocols and brought in cybersecurity experts to aid in the investigation, the company said in a statement on 14 September.
The company has now informed all necessary authorities, including law enforcement agencies and state gaming regulators.
Customer operations unaffected
Despite the serious nature of the breach, Caesars confirmed it did not affect its primary operations.
The firm’s physical establishments, online platforms, and mobile gaming and betting apps were able to continue without disruption.
Extent of the breach
An internal investigation conducted on 7 September revealed the attackers had successfully accessed the operator’s loyalty programme database.
This data set contained sensitive personal data such as driver licence numbers and even social security numbers for a significant number of members.
However, Caesars has so far found no evidence of leaked financial data, such as passwords, bank information, and payment card data.“We have taken steps to ensure that the stolen data is deleted by the unauthorised actor, although we cannot guarantee this result,” said Caesars in an SEC filing.
“We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”
Caesars has now pledged to provide credit monitoring and identity theft protection services to all loyalty programme members.
Caesars said it had incurred expenses relating to the attack, including costs to respond to, remediate and investigate the issue.
The full cost of the breach is still to be determined, with the company hopeful its cybersecurity insurance and possible indemnification claims against third parties will alleviate any potential financial repercussions.
Despite the uncertainty, the operator expects no material impact on its overall financial results heading into Q3 2023.
“The trust of our valued guests and members is deeply important to us, and we regret any concern or inconvenience this may cause,” Caesars concluded.
Caesars confirmed the attack in the same week that Las Vegas casino rival MGM Resorts was forced to shut down operating systems following a cybersecurity breach.
Reservation systems, key card systems for hotels, and even gaming machines on casino floors were all out of action earlier this week, causing disruption for guests, who were forced to pay with cash across the operator’s suite of restaurants and bars.
The timing of the hack, combined with Bloomberg’s coverage of this unfortunate series of events, has led to increased speculation that Caesars paid a ransom to avoid a similar level of operational disruption.