Casino Giant Caesars Entertainment Reports Cyberattack; MGM Resorts says some systems are still down after attack

LAS VEGAS– Casino company Caesars Entertainment on Thursday joined its Las Vegas gaming rival, MGM Resorts International, in reporting that it had been hit by a cyberattack, but added in a report to federal regulators that its casinos and online operations had not been disturbed.

The Reno-based publicly traded company told the federal Securities and Exchange Commission that it could not guarantee that the personal information of tens of millions of customers was secure following a Sept. 7 data breach that reportedly was able to reveal driver’s license and social security numbers from loyalty rewards. members.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor,” the company said, “although we cannot guarantee this outcome.”

Brett Callow, a threat analyst for New Zealand-based cybersecurity firm Emsisoft, said it was unclear whether a ransom was paid or who was responsible for the intrusion – and the attack reported on Monday by MGM Resorts.

“Unofficially, we’ve seen a group called Scattered Spider claim responsibility,” Callow said. “They appear to be native English speakers under the umbrella of a Russia-based operation called ALPHV or BlackCat.”

Scattered Spider is also known as UNC3944, said Charles Carmakal, CTO of cybersecurity company Mandiant. He called the group “incredibly disruptive and aggressive” in its recent attacks on hospitality and entertainment organizations.

“They leverage know-how that is difficult for many organizations with mature security programs to defend against,” Carmakal said in a statement.

Mandiant said in a blog analysis published Thursday that the group uses SMS phishing and phone calls to help offices attempt to obtain password resets or multi-factor bypass codes.

“This relatively new entrant to the ransomware industry has affected at least 100 organizations, most in the United States and Canada,” Mandiant said.

Caesars is the world’s largest casino owner, with more than 65 million Caesars Rewards members and properties in 18 states and Canada under the Caesars, Harrah’s, Horseshoe and Eldorado brands. It also offers mobile and online operations and sports betting. Company officials did not respond to emailed questions from The Associated Press.

The company told the SEC that loyalty program customers were offered credit monitoring and identity theft protection.

There is no evidence that the intruder obtained members’ passwords or bank account and payment card information, the company reported, adding that casino and online operations “did not have not been affected by this incident and are continuing without interruption.

The disclosure by Caesars came after MGM Resorts International, Las Vegas’ largest casino company, publicly announced Monday that a cyberattack detected Sunday caused it to shut down computer systems at its properties across the United States to protect the data.

MGM Resorts said reservations and casino floors in Las Vegas and other states were affected. Customers shared stories on social media about being unable to make credit card transactions, get money from ATMs or get into hotel rooms. Some video slots were dark.

MGM Resorts has approximately 40 million loyalty rewards members and tens of thousands of hotel rooms in Las Vegas at properties including the MGM Grand, Bellagio, Aria and Mandalay Bay. It also operates properties in China and Macau.

A company report to the SEC on Tuesday highlighted its Monday press release. The FBI said an investigation was ongoing but provided no additional information.

Some computer systems at MGM Resorts were still down Thursday, including hotel reservations and payroll. But company spokesman Brian Ahern said its 75,000 employees in the United States and abroad should be paid on time.

Callow, speaking by telephone from British Columbia, Canada, called most media accounts of the incidents speculative because the information appeared to come from the same entities that claimed to have carried out the attacks. He said recovery from a cyberattack can take months.

Callow pointed to what he called “plausible” reports that Caesars Entertainment had to pay $30 million for a promise to secure its data and could have paid $15 million. He also noted that the company did not describe in the SEC report the steps taken to ensure the security of the stolen data.

The highest ransom reportedly paid to cyberattackers was $40 million by insurance giant CNA Financial, Callow said, following a March 2021 data breach.

“In these cases, organizations are paying to get a ‘small promise,’” he said. “There’s no way to really know if (the hackers) delete (the stolen data) or if it won’t be used elsewhere.”

____

Frank Bajak, Associated Press technology editor in Boston, contributed to this report.