The recent headline-grabbing hacking attacks on casinos in the U.S., including North Carolina casinos, underscore the dire need for the gambling industry to protect customer data and maintain public trust.
Members of the International Gaming Standards Committee (IGSA) are taking that responsibility to heart by creating a Cyber Resiliency Committee. The committee will develop standards for cybersecurity and risk management for operators, gaming technology companies, and related gambling businesses.
Casino gaming technology providers lead the way in cybersecurity
According to IGSA, members of the organization are prioritizing “the alarming rate of increasing cybersecurity issues in our industry.”
IGSA chairman and AXES CEO Earle G. Hall is the interim chair of the committee. AXES is a leading supplier of software and hardware for casinos such as digital kiosks and loyalty program software.
“Our members are clear that cybersecurity has to be a top priority for all gaming suppliers in our industry to protect operators and our industry at large,” Hall said.
Two other gaming technology providers, Light & Wonder, and Aristocrat Technologies led the drive, along with AXES, to form the committee.
“This committee will solicit experts within our membership to create ready-to-use standards to improve cyber resilience,” added Hall.
Members and affiliates of the IGSA also include state lottery commissions, regional casino groups, and academic research organizations including UNLV’s International Gaming Institute.
Previous cyberattacks on casinos
The most recent cyberattacks targeted MGM Resorts International, Caesars Entertainment, and Stake.com, a cryptocurrency online sportsbook.
- MGM Resorts announced on Sept. 11 that the company “identified a cybersecurity issue” that caused computer outages. Gaming machines and hotel reservation systems went down at several popular MGM properties in Las Vegas. It took the company 12 days to indicate that most systems were back to normal.
- On Sept. 14 Caesars announced that its rewards loyalty program had been compromised, revealing the driver’s license and Social Security numbers of some members.
- Hackers made $41 million in unauthorized withdrawals from Stake.com in early September. The company reported the hack on social media yet reassured customers that its digital currency was safe.
These breaches are just the latest in a long line of cyberattacks. The first known large-scale breach sounds like the plot of an international espionage thriller.
In 2014, Iran launched a state-sponsored hack on the Las Vegas Sands Corporation after its founder, the late Sheldon Adelson, suggested that the U.S. should drop nuclear bombs on the country. Iran responded by stealing customer data from Sands hotel and casino systems.
Over a stretch of months in 2014 and 2015 hackers installed malware that affected the systems of all Golden Nugget properties including its casinos. Other casinos that nefarious hackers targeted in past years include The Palms Las Vegas, Hard Rock International, and MGM.
MGM suffered a data breach in 2019 that affected over 10 million customers. Hackers sold the data on the dark web. Before this year’s incident, cybersecurity rating company BitSight gave MGM an “F” grade for its speed in responding to and fixing cybersecurity vulnerabilities.
Patrons who had their data stolen are now suing MGM and Caesars via several class action lawsuits.
North Carolina casinos and cybersecurity
The most recent hacks on casinos affected only two of North Carolina’s casinos: Harrah’s Cherokee in Cherokee and Harrah’s Cherokee Valley River in Murphy.
While owned by the Eastern Band of Cherokee Indians, the casinos operate under the Caesar’s Entertainment umbrella, which owns the Harrah’s brand. Harrah’s participates in the Caesars loyalty program that was hacked. Both casinos referred customers to a toll-free helpline if they stayed at Caesars properties during the timeframe of the security breach.
So far, there have been no reported cyberattacks on the Catawba Two Kings Resort owned by the Catawba Nation. The casino opened in 2021.
With the imminent launch of online sports betting and non-tribal-owned retail sports betting in the state in 2024, operators, especially MGM and Caesars, must reassure customers that their personal data will be safe. Both companies are prime candidates to roll out sports betting apps in North Carolina.
The U.S. Securities and Exchange Commission is aiding the effort to hold companies accountable for revealing breaches promptly. The agency introduced new cybersecurity reporting rules for publicly traded companies this past summer. Public companies must promptly report “material cybersecurity risks and incidents.”