After cyberattacks crippled casino companies, how vulnerable is Las Vegas?

Las Vegas Weekly
 
After cyberattacks crippled casino companies, how vulnerable is Las Vegas?
Wild Casino

Las Vegas has always prided itself on its economy of leisure. In the span of a weekend, visitors can dine at the finest restaurants, witness world-class entertainment and sporting events and shop at top luxury brands without leaving the Strip—sometimes, without leaving their hotel.

All that came to a standstill last month as two casino giants fell prey to revenue-crippling cyberattacks that have left us wondering: How vulnerable is Vegas, really?

Casino-goers attempting to use mobile check-in, digital keys, credit cards, ATMs, slot machines and other services at some MGM Resorts properties were shocked to find widespread outages on September 11. Hospitality experts and cybersecurity specialists wish they could say the same.

“Unfortunately, I wasn’t surprised that it happened. If somebody comes out and says, ‘We’ve never been hacked,’ they’re lying,” says Mehmet Erdem, professor of hotel operations and technology at UNLV.

The cyberattack, deployed by hacker group Scattered Spider, forced MGM to shut down its systems in an attempt to protect guest data. Days later, Caesars Entertainment filed an 8-K notice disclosing a cyber breach of its own, “resulting from a social engineering attack on an outsourced IT support vendor used by the company,” according to a statement.

Within a week, Scattered Spider had targeted two of the largest hospitality companies in the world. And when the chips were down, Caesars paid roughly $15 million in ransom, the Wall Street Journal reported, and MGM suffered several days of disruption that have cost the company millions. Both operators are facing multiple federal lawsuits alleging that the companies did not do enough to protect customers’ personal information.

Caesars Entertainment did not respond to requests for comment.

In MGM’s 8-K notice filed on October 5, the company said it does not believe customer passwords, bank account numbers or payment card information were obtained by the hackers. “The company also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud,” the notice reads.

While the extent of the damage still is being evaluated, experts say these types of attacks are bound to happen, especially in a place like Las Vegas.

“It’s not a matter of if you’re going to get hit, but when you’re going to get hit,” says Gregory Moody, professor of information systems at UNLV’s Lee Business School and director of UNLV’s Masters Program of Cybersecurity. “These days, there’s just so much technology embedded in everything that we do.

“This is not just a single castle with one moat, one point of entry. This is a massive city now. There’s so many different ways that people could get in.”

The city’s status as a major tourist destination makes it an extremely attractive cyber target. Last year, 38.8 million people visited Las Vegas, according to the Las Vegas Convention and Visitors Authority, with Strip hotel occupancy at 81.6%. That’s a lot of people and a lot of data.

Verizon’s 2023 Data Breach Investigations Report, which looked at more than 16,000 security incidents and 5,199 breaches, found that ransomware, or the act of using malware to hold data for a ransom—as was the case with Caesars—is on the rise. According to the report, “ransomware is present today in more than 62% of all incidents committed by organized crime actors and in 59% of all incidents with a financial motivation.”

Las Vegas’ megaresorts, with their millions-strong loyalty member databases and their billion-dollar revenue streams, are a risky target that’s apparently worth the reward.

“You’re not going to target an independent bakery down the street, because even if you breach them, the amount of data they have that you could sell on the black market for money is small potatoes,” Moody says. “It doesn’t matter to these kinds of attackers. They’re not just some guy sitting in the basement of his mom’s house in Slovakia or down in the Republic of Congo in Africa. These are advanced groups that hire people, and they pay them wages. They’re a large group, and they have time, resources and expertise. They’ll just keep trying until they get access.”

In recent years, Las Vegas has made great strides towards becoming a more technologically advanced town, with the expanding hospitality industry looking to cater to and enhance the customer experience.

The Strip’s newest property Resorts World drew a sizable amount of buzz when it promised to “redefine the traditional gaming experience by introducing the most technologically advanced casino and gaming operations all within one integrated resort.” It introduced cashless wagering on its casino floors, along with smart tables to track guest activity and cashless payments across the resort.

Boyd Gaming’s Aliante Casino in North Las Vegas also took the cashless plunge, and card-only venues such as T-Mobile Arena, Sphere and Allegiant Stadium are becoming more commonplace.

Boyd Gaming declined to comment on whether the cyberattack incident gives the company pause about pushing its cashless strategies due to the “sensitivity of the topic.” Resorts World also declined to comment for this story.

“There are all these good, additional transactions that are happening, leveraging the guests’ behavior to spend more, have a better experience. But at the same time, it’s exposing us to people with ill intent to get into our systems,” Erdem says, adding that having smartphones and other tech at their fingertips also empowers employees to provide better service.

That’s where the conundrum lies.

“We cannot say we are only going to take cash, or we’re going to have only legacy systems that are not on the cloud,” Erdem says. “If you do that, then you’re on the losing end of the capitalist game. You need to grow the market and you need to offer the conveniences that your guests expect to see.”

He says a rollback in technology is incredibly unlikely in today’s global economy. And even if we stopped embracing technology, cybercrime would still persist.

“I think this was a really good teaching moment because the loss is going to be passed on to consumers and to employees. We are all losers in this,” Erdem says.

But this hard lesson might be a good thing for Strip properties and other Las Vegas businesses moving forward. It could make them safer than ever before.

“If anybody had any hesitation about investing in security measures and security software tools, they have nothing to stand on [now],” Erdem says. “The immediate impact is people are going to be a lot more than willing to invest in these things. It’s going to be an expectation to do so, and that’s going to generate a new economy. Perhaps you will see more on-site experts.”

Erdem points out that while gaming companies may be attractive targets, these cyberattacks were complicated efforts that had to circumvent intense existing security protocols. MGM and Caesars both have mandatory cybersecurity training in place for employees, including refresher courses throughout the year. “And a lot of people don’t give credit, but MGM has a chief information security officer. How many companies, hospitality or not, have a C-suite executive that oversees information security? They have a division, and even then, it happened,” Erdem says.

In a May 2023 proxy statement, MGM said it routinely performs its own “attack and response simulations at the technical level,” and “tabletop response exercises at the management level.” MGM also reported that its chief information security officer gives the audit committee updates on IT risks “at least twice a year” and the company’s cybersecurity program gets an annual assessment by external experts.

“We need to understand that existing regulations represent the bare minimum,” Erdem says. “You [need to] go above and beyond what is required.”

These recent events are not the first Las Vegas cyberattack of this scale. MGM experienced another breach in 2019 that resulted in more than 10 million customers’ data being stolen.

But if Las Vegas is going to move forward with its thriving economy based on tourism, hospitality and gaming, the industry and community have to stay vigilant.

“We need to prioritize technology security as no different than running water or having power,” Erdem says. “In terms of investment and allocation of budget, technology, safety and security should be at the forefront, especially for smaller companies.

“MGM had a $200 million insurance [policy]. How many small independent hotels can afford that? For some of them, a good lawsuit can mean that they are shutting down. They’re gone.”