.svg)
Several tribal casinos have been forced to close their doors after ransomware attacks took hundreds of slot machines offline, while experts in one incident continue to work to reopen their casino floor.
The attacks in Minnesota and Michigan were just the latest in a series of damaging incidents to impact a $41.9bn tribal gaming industry, whose substantial amounts of stored customer financial information make casinos an attractive target for hackers.
On April 2, the Lower Sioux Indian Community in Minnesota confirmed that an unauthorized “actor” accessed and disrupted operating systems for its casino and other tribal businesses. The tribe worked with third-party experts to investigate the ransomware event.
As of Thursday (April 10), slot machines and kiosks at Jackpot Junction remained unavailable while table games were open for play. The casino has also canceled all bingo games until further notice, according to a notice on its website.
RansomHub, a cybercriminal group, claimed responsibility for the ransomware attack. It was unclear if the group contacted the Lower Sioux trying to extort a ransom for the return of any data obtained in the breach.
In a statement, the Lower Sioux tribe stressed that they were “working to return to normal operations as quickly and as securely as possible”.
In February, the same group targeted the Sault Ste. Marie Tribe of Chippewa Indians in Michigan, forcing the temporary closure of all five of the tribe's casinos for more than a week. The cyberattack, which is being investigated by the FBI, also affected the tribe's government and health services.
Sault Tribe chairman Austin Lowes apologized for how disruptive the attack had been and assured tribal members and casino patrons that the tribe had strengthened their IT systems as a result. In a Facebook post on March 5, Lowes confirmed the tribe would not pay the ransom that RansomHub tried to extort from the tribe.
After much deliberation, Lowes said, they determined there was no point in paying their ransom because the tribe had been able to recover virtually all of their data. Lowes did not disclose the ransom amount demanded by RansomHub.
“Second, there was no guarantee we would have received what was promised,” the chairman said. “We could have paid their ransom and still had our data shared on the dark web.”
Over the last five years, ransomware groups have earned hundreds of millions of dollars from attacks on tribal and commercial casinos in North America, with these incidents leading to the theft of player data, operational disruptions and financial losses.
Since 2020, incidents involving tribes in Idaho, Oklahoma and New Mexico have become public as tribal casinos were forced to close to remediate their networks following ransomware attacks.
As incidents continue to impact gaming tribes, the National Indian Gaming Commission issued an alert in February reminding tribes of the need to develop and maintain more stringent cybersecurity practices.
California Cardroom Cybersecurity Standards
While recent events have prompted tribal casino operators to upgrade their security measures to protect themselves from a cyberattack, regulators in California continue to craft policies to encourage commercial licensees to reinforce their cybersecurity protocols.
Lisa Wardall, executive director of the California Gambling Control Commission (CGCC), stressed that a rulemaking proposal being crafted by the state's Gaming Policy Advisory Committee (GPAC) is “not a mandate at this time”.
“This project was done to gather some preliminary research on the current practices employed within cardrooms along the lines of cybersecurity,” Wardall said.
Wardall admitted that the commission prefers “taking an educational approach first before going straight to a regulatory approach”.
Currently, there are no provisions in the California Gambling Control Act or CGCC regulations that would require a cardroom to report a cyberattack incident to the commission.
Fred Castano, a CGCC spokesman, told Vixio GamblingCompliance in an email that “the commission had not received any reports of a cyberattack on a California cardroom”. Currently, there are 80 licensed cardrooms in California operating some 2,190 tables.
The five-page proposal drafted by GPAC does not require licensees to review their cybersecurity policies, but instead recommends a comprehensive appraisal of the security of their network and systems, as well as training employees on current threats and best practices.
GPAC also urged cardrooms to update their software, applications and firewalls regularly, along with backing up their data and having a disaster recovery plan in place, and consulting with cybersecurity experts for an audit.
Other recommendations include changing passwords regularly, using multi-factor authentication (MFA) for email and sensitive systems, as well as using anti-virus software and backing up data to ensure business continuity from cyberattacks.
During a GPAC meeting last week, the conversation revolved around the cost of any cybersecurity regulations on smaller cardrooms, compared with larger gaming businesses.
Michael Koniski, general manager of Artichoke Joe’s Casino and a GPAC member, explained that protections on average could cost $100,000 to $200,000 and up to $500,000, and if regulators were to “mandate such a requirement it may be very expensive for smaller properties”.
Artichoke Joe’s has 51 tables, but there are so-called Tier One cardrooms throughout California that operate between one and five table games.
“I think we are here to protect the entire industry,” Koniski said.
