The cyberattack that crippled MGM Resorts International’s casino systems in eight states this month has helped spur commercial and tribal gaming regulators to identify cyber vulnerabilities in the casino industry.
The MGM cyberattack employed voice phishing, which allowed the hackers to impersonate an employee to gain access to company systems, according to reports.
Caesars Entertainment also confirmed that hackers this month gained access to its computer systems through an outsourced vendor, stealing a large amount of customer data in an unrelated cyberattack.
These breaches of internal company systems caused Brian Krolicki, a member of the Nevada Gaming Commission (NGC), to ask his colleagues if both companies would brief regulators in public on what happened.
“I think at some point in time, when there is the energy and understanding of what happened, if we could get some kind of briefing on what had transpired, that’s appropriate for the public record and perhaps for public policy,” Krolicki said at the end of the NGC’s September 21 meeting.
Krolicki said there has been a lot of publicity surrounding these incidents, and it would benefit regulators to get a handle on just what happened.
The recent attacks on MGM, Caesars, and Gateway Casinos in Ontario, as well as attacks on tribal casinos in three U.S. states over the last two years, highlight the need for better cooperation between regulators and operators, according to two regulators with the Pennsylvania Gaming Control Board (PGCB).
“The whole issue of cybersecurity can be daunting to all involved, especially a regulator,” said Paul Resch, director of gaming operations with the PGCB.
Resch said Pennsylvania officials are able to apply some regulatory pressure to the industry on important areas that they should be focusing on, particularly to protect the integrity of operations, their customers and their employees.
“We have a shared mission here between the regulators and operators because we all want to see this industry continue to grow,” Resch said on Wednesday (September 27) during a Gaming Laboratories International (GLI) webinar on cybersecurity in the gaming industry.
Lee Copello, director of iGaming compliance with the PGCB, said technology is always evolving, so open lines of communication between regulators, cybersecurity experts and operators “enhance our ability to know what’s out there and what we need to be addressing with a higher priority.
“One of the things that is difficult is every quarter a scan could be done and then you’ll find new emerging vulnerabilities on the next scan,” Copello said.
“We are just trying to stay focused and continually push forward. As technology evolves, we try to evolve with it.”
In keeping up to date on the latest incidents, Resch said the PGCB recently spoke with Ontario regulators, who shared practices and insights on recent incidents that impacted Gateway Casinos and Caesars.
Gateway closed its Ontario casinos for two weeks from April 17 after announcing it was dealing with a “cyber security incident”.
The company also assured customers and employees that there was no evidence that their personal information had been compromised.
On April 29, Gateway began to restart its Ontario operations.
Resch said Pennsylvania regulators also looked at the regulations that took effect earlier this year in Nevada.
Currently, Nevada casinos have until the end of the year to perform a risk assessment of the vulnerability of their computer systems to cyberattacks.
The amendments to Regulation 5, which govern the operation of gaming establishments, took effect on January 1 and give some 400 non-restricted gaming licensees until December 31 to perform a risk assessment of their systems, and take necessary and ongoing steps to protect infrastructure.
Properties are also required under the new regulations to report any successful breach that compromises player or employee data, credit card information, or other records or infrastructure to gaming regulators within 72 hours.
The amended regulations give licensees some latitude to how they must develop appropriate cybersecurity practices.
The new regulations were also changed to allow licensees to use an affiliate or third-party company to conduct assessment and monitoring.
Krolicki, with the NGC, told his fellow commissioners last week that a policy briefing on the incidents involving MGM and Caesars could be appropriate for looking at “policy going forward.”
Meanwhile, cyberattacks against tribal casinos have become increasingly sophisticated. Disruptions from the attacks have included temporary shutdowns of casinos, theft of sensitive consumer data, and millions of dollars in losses.
Over the last two years, there have been a dozen reports of cyberattacks on tribal casinos in Oklahoma, New Mexico and Wisconsin.
On Wednesday, a National Indian Gaming Commission (NIGC) spokeswoman said the agency could not speak directly about the MGM and Caesars cyberattacks, but confirmed the NIGC had issued another alert to the tribal gaming community.
“Foremost, the NIGC takes tribal gaming cybersecurity operations very seriously and have developed actions to help protect tribal gaming operations from ever-changing cyber threats,” the spokeswoman said in an email.
The NIGC outlined its “Defense in Depth” strategy in a one-page memo, which encompasses multiple layers of protective mechanisms designed to secure data, information, and information systems.
The memo outlines some of the cybersecurity strategies used by operators, specifically the utilization of antivirus software, software and hardware firewalls, disk encryption, authentication controls, and multi-factor authentication.
“Cyber-related attacks impact organizations, big and small, have increased in recent years, and are not going away. To significantly reduce risk to IT systems, it is prudent for organizations to employ a layered, redundant approach to cybersecurity,” the NIGC said.