The Caesars Entertainment breach report has been made public, providing much-anticipated details about the first ransomware attack in Las Vegas this month. MGM Resorts was the second casino company to fall victim to a massive cyberattack, which took place on Monday.
The September 7th filing, made public by the US Securities and Exchange Commission (SEC) Thursday, says threat actors were able to compromise Caesars networks through a social engineering attack on a third-party IT support vendor used by the company.
MGM was rumored to have been attacked by the same phone call-based phishing attack, also known as vishing.
In that attack, the bad actors purportedly called an IT help desk using the name of an MGM employee they found on LinkedIn. The hackers then convinced the IT operator to help the “employees” change their password, giving them access to the system.
Four days later, MGM is still struggling to resume normal business operations. Social media has been ripe with visuals of slot machines showing error messages on casino floors and hotel guests checking in with pen and paper.
Meantime, the hacker group Scattered Spider is said to be claiming responsibility for both attacks, and possibly with the help of another notorious ransomware gang, ALPHV/BlackCat, which created a lengthy post about the MGM breach on its dark leak site Thursday.
Scattered Spider said it obtained six terabytes (6TB) of stolen data between both hospitality giants – data reportedly containing sensitive information of millions of guests who have vacationed at the facilities, it told Reuters on Thursday.
The overall customer count for both companies is spread across more than 90 hotel and gaming resorts, with thousands of guest rooms in each hotel.
Moreover, after days of rumors circulating of a $30 million dollar ransom demand, unnamed sources told the Wall Street Journal Thursday that Caesars did, in fact, pay the hackers half of that original ransom.
Although Caesars has not publicly confirmed the payment, the SEC report alluded to some sort of deal between Caesars and the threat actors.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars stated in the report.
Reuters also said the hacker group told the news outlet “it did not plan to make the data public.”
Scattered Spider, also known as UNC 3944, has been linked to more than 100 breaches over the past two years at companies ranging from gaming and technology firms to retailers, telecom, and insurance firms, said Charles Carmakal, CTO at Google-owned Mandiant cyber intelligence firm.
The group is especially known for its effective social engineering skills.
After discovering the breach, Caesars said it used a combination of incident response measures, including containment and remediation, to prevent further intrusion into the network.
“Customer-facing operations, including our physical properties and our online and mobile gaming applications […] were not impacted […] and continue without disruption,” it said.
Still, the hackers were able to steal a copy of Caesar’s entire loyalty program database, “which includes driver’s license numbers and/or Social Security numbers for a significant number of members in the database.”
So far, there is no evidence member passwords/PINs, bank account details, or payment card information was stolen in the breach, and the data has not been seen published or shared online, the company said.
Las Vegas Governor Joseph Lombardo and the Nevada Gaming Control Board are also monitoring the situation with other law enforcement agencies.
Caesars has also created an official response website to provide details for those who suspect they may have been affected by the attack, plus additional resources. Individuals may also call the Caesars breach incident response hotline at (888) 652-1580.
Affected individuals will be notified on a rolling basis starting next week, while all loyalty program members will be offered free credit monitoring and identity theft protection services, the company said.
In July, Wall Street adopted a new SEC four-day deadline for companies to disclose a major cyber incident as a way to protect investors, and those familiar with the case said the Caesars filing had been expected this week.
More from Cybernews:
Subscribe to our newsletter