Caesars Entertainment disclosed on Thursday details surrounding a data breach it suffered last week that began with a social engineering attack.
Bloomberg first reported that Caesars was attacked Wednesday, claiming the casino giant made a multi-million dollar ransom payment in response to an attack that had begun in recent weeks. Caesars published an 8-K filing Thursday with additional detail regarding the extent of the attack. In the filing, the company stated an "unauthorized actor" obtained significant data from a social engineering attack that targeted an outsourced IT support vendor and began at least as early as Sept. 7.
On that date, the actor obtained, "among other data, our loyalty program database, which includes driver's license numbers and/or social security numbers for a significant number of members in the database," the filing read. However, the 8-K notes the full extent of stolen data is still under investigation. But Caesars has found "no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor."
Once Caesars became aware of suspicious activity (the company did not provide a date), it activated incident response protocols and engaged leading cybersecurity firms, law enforcement and state gambling regulators.
"While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents," the filing read. "These efforts are ongoing. We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems."
Notably, the filing includes references to "steps" taken by the company to "ensure that the stolen data is deleted by the unauthorized actor," and that such a result is not guaranteed. This detail aligns with a Thursday report from Wall Street Journal that Caesars paid roughly $15 million in a ransom payment to the threat actors.
Caesars Entertainment did not respond to TechTarget Editorial's request for comment at press time.
Caesars' disclosure followed one similarly made by fellow gambling entertainment giant MGM Resorts. On Sept. 11, MGM published a statement to Twitter stating it "recently identified a cybersecurity issue affecting some of the Company's systems."
In a follow-up statement published the same day, the company said its resorts remain operational. However, various media outlets have reported that guests at Las Vegas-area MGM resorts are dealing with massive disruptions with amenities, gambling machines, check in and check out, and hotel rooms access as recently as Wednesday evening.
While MGM has not officially identified the cybersecurity incident as a ransomware attack, VX-Underground, a cybersecurity research collective, stated on Twitter this week that the Alphv/BlackCat ransomware gang and a threat actor known as Scattered Spider had claimed responsibility. Media outlets such as Reuters have also reported that Scattered Spider was behind the attack.
Update 9/15/2023: Alphv posted a statement on its dark web leak site confirming its involvement in the attack on MGM and threatening to carry out additional attacks on the company if "a deal is not reached." The ransomware gang made several other claims about the details of the attack on MGM and the company's response, but those claims could not be verified at press time.
Scattered Spider, also referred to as UNC3944, is a threat group that has been active since May 2022 and is known for employing effective social engineering and phishing techniques to breach organizations and steal data. The threat group was responsible for compromising four Okta customers in a social engineering campaign this summer.
MGM Resorts did not respond to TechTarget Editorial's request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.