In an era where the U.S. gaming industry is embracing digital technology, lawyers and regulators warn of more sophisticated cyberattacks being conducted against commercial and tribal casino operations.
“Certainly, when it comes to gaming, we have seen an uptick in cybersecurity incidents,” said Afshien Lashkari, lead engineer with the technical services bureau at the New Jersey Division of Gaming Enforcement (DGE).
The most recent crippling cyberattacks involved MGM Resorts International, which was forced last year to shut down its computer system in Las Vegas and eight states, including for its Borgata resort in Atlantic City.
At the time, CEO Bill Hornbuckle described the social engineering attack as “corporate terrorism at its finest”, but said MGM never even considered paying a ransom to Scattered Spider, the group who claimed responsibility for September’s incident.
That same group also targeted Caesars Entertainment, which paid a $15m ransom to recover its data.
As far as New Jersey is concerned, Lashkari said, the state has experienced one major cyber incident since internet gaming was launched in 2013.
In July 2014, a cyberattack was perpetrated on four New Jersey online casinos by a hacker who demanded a ransom be paid in Bitcoin.
New Jersey gaming regulators described the incidents as “distributed denial of service” (DDoS), an attack that floods a network with information, rendering it inoperable.
“It’s not always going to be a third-party that you have no affiliation with that impacts a company,” Lashkari said. “A lot of times, you might just have an employee that is trying to manipulate the data, manipulate the system.”
Lashkari cited an incident at Yahoo! about two years ago where an employee, after he accepted a job with a competitor, downloaded thousands of files from his work computer to a removable storage device to take with him. Some of the files allegedly had source code.
“It doesn’t have to stop there,” Lashkari added. “There are other scenarios where it is not an internal employee, it could be a third-party vendor … and there are times when that has led to a breach.”
Lashkari stressed that “all industries that contain sensitive, confidential data could have a concern with cybersecurity.”
Lashkari participated in a discussion last week on the compliance implications of data privacy and cybersecurity at the Gaming Law, Compliance and Integrity Bootcamp hosted by Seton Hall Law School in Newark, New Jersey. He was joined by Anthony Torntore, assistant U.S. attorney and chief of the cybercrime unit with the U.S. Attorney’s Office in Newark, and Nitin Pandey, managing director at Deloitte in New York.
Other examples of data breaches were the recent incident that forced the Nevada Gaming Control Board (NGCB) to bring down the agency’s public-facing website. The NGCB did not call it a cyberattack, instead saying that a “security incident” forced a transition to a new website.
Torntore said what makes the gaming industry particularly susceptible to some of the more common types of cyberattacks, including ransomware or a data breach, is the tremendous amount of data that casinos and online operators collect from their customers.
“It’s personal data, financial data,” Torntore said. “It’s valuable to them. They need it to do business and they need their servers online to do their business so they are a target that will often consider paying faster than other businesses” to get access to their data.
“It is easier just to pay,” he added.
Torntore said casinos store a lot of information on their high-value customers that is valuable to cyber criminals who are looking to get their hands on that “data and exploit the victim, casinos and other entities that they are attacking.”
From a regulatory perspective, Lashkari said the DGE is aware of both DDoS and credential stuffing attacks. He described credential stuffing as “more along the lines of an account takeover” by acquiring the account holder’s username and password.
Concerns about cyberattacks and attempted fraud led the DGE to set a June 30, 2022 deadline for every online gaming operator in the state to establish multi-factor authentication for their customers as part of their know your customer (KYC) obligations.
Multi-factor authentication requires patrons to provide additional verifications besides their usernames and passwords in order to gain access to an account.
Lashkari said collaboration between the industry and regulators is the key to cybersecurity.
One of the concepts being introduced by operators, Lashkari said, is the single wallet for use with iGaming and mobile sports-betting apps to make it seamless across multiple jurisdictions. But there are potential vulnerabilities if operators are not subject to the same safety measures in every jurisdiction.
Lashkari said if a patron is setting up an account in New Jersey, they are going to have to comply with multi-factor authentication best practices but if they are doing it in a jurisdiction that does not have the same requirement then they are vulnerable.
“Standardized-access jurisdictions really go a long way toward protecting the patron,” he added.
In terms of credential stuffing attacks where people are trying to present themselves as someone else in the actual corporation, Lashkari said it is crucial there are adequate controls in place when patrons are resetting their passwords.
“We are trying to come up with beneficial ways to help that be mitigated, whether it is making sure they have a strong policy in place when you are trying to reset peoples’ passwords [or] making sure you have strong policies in place with the access credentials and who has access,” Lashkari said.