Body
The U.S. gambling industry remains wide open to cyber attacks despite an accumulation of years of incidents, according to a former assistant U.S. attorney.
“Casinos and online gambling just have tons of data points to attack,” said David Feder, a former assistant U.S. attorney who now works as cybersecurity lawyer for the firm of Fenwick & West LLP in New York City.
“You’ve got lots of things that a hacker can attempt to exploit,” Feder told a panel discussion on Wednesday (May 18) at the annual gambling law bootcamp at Seton Hall University in Newark, New Jersey.
Last November, the FBI reported a 1,000 percent increase in cyber attacks on tribal casinos since 2019 as ever-increasing digital extortion demands menace the entire gambling industry.
The Oregon Lottery shut down for more than 72 hours in March 2020 after its internet provider, SBTech of the Isle of Man, fell victim to a cyber attack.
Not only did the incident delay SBTech’s merger with DraftKings, but SBTech had to set aside $30m of the $600m it eventually received from the merger to settle claims arising from the shutdown.
An activist malware attack on Las Vegas Sands in 2014 also managed to cripple the company’s servers for weeks.
It is not unusual to see ransomware demands in the hundreds of thousands of dollars, Feder said, and large-scale corporations sometimes receive demands as high as seven and eight figures.
So what does a gambling business do if a cyber attack locks up its computer operations?
“The law enforcement world says, 'Don’t pay because paying only invites more people to try to do it',” Feder said.
But “the cyber insurance industry says, ‘By all means, pay it. If we can minimize the problem here at the outset and do the minimum to get our systems restored and not disrupt our business … let’s do it’,” he said.
“The reality is somewhere in the middle.”
Computer hacking has developed into a “sophisticated ecosystem,” Feder said.
“This is not like what you think of in your traditional sense that there’s some shadowy figure in an internet café in Bulgaria who is singlehandedly taking down your network,” he said.
“It’s a $1bn illicit industry.”
Some nations actually have “hacking armies,” Feder said.
“North Korea basically funds itself by stealing money through various cyber exploits demanding ransoms,” he said.
Employees and vendors who have access to a company’s computer operations are commonly used by hackers to enter online operations.
“You have to be mindful of how to train and make aware your employees, so they know not to click on links giving hackers the information they need,” Feder said.
Tabletop exercises for repelling cyber attacks should be conducted at least once a year, he added.
“It’s not just the IT [information technology] guys; it’s everybody in your business has to have some idea of what their roles are going to be if there is a cyber incident on your systems, and the time to do that is not when that happens.”