Caesars Entertainment has officially disclosed some details about the cyberattacks that affected a number of Las Vegas casino properties in September, saying that 41,000 residents of Maine alone had their data illegally acquired by a ransomware gang.
In a filing with the US state’s Attorney General’s office, the casino and hotel giant revealed that cybercriminals managed to siphon the data of 41,397 Main residents, and said that the overall number of the breach’s victims is to be determined.
In its official announcement, Caesars Entertainment confirmed that it became the victim of a social engineering attack on an outsourced IT support vendor, eventually leading to unauthorized access to the company’s network and data exfiltration. The breach occurred on August 18th, 2023, and the stealing of the customers’ data started on or about August 23rd, 2023. Subsequently, on September 7th, Caesars Entertainment confirmed that the malicious cyberattack included some state residents’ personal details.
As previously revealed by CasinoGamesPro, the loyalty program of the company’s hotel chain was pillaged and the company now revealed that the stolen personal data involved names, ID card numbers and/or driver’s license numbers. According to the official filing, the attackers did not access any financial information or payment details of Caesars Entertainment’s customers.
Caesars Entertainment Makes No Revelations Regarding Potential Ransomware Paid to the Attackers
Caesars Entertainment also sent a security breach notification letter to its customers, informing them that it has taken steps to make sure that the stolen data is deleted by the attackers who gained unauthorized access to it. Unfortunately, the casino, hotel and entertainment chain confirmed that it is unable to guarantee the result.
According to experts, the steps taken by the company include paying the ransom demand, which was reportedly been negotiated at $15 million after the attackers made an initial demand for $30 million.
The notification letter also stated that Caesars Entertainment offers its customers complimentary identity theft protection services for two years through a popular data breach and recovery service provider called IDX. The identity protection service involves two years of credit and monitoring of the so-called dark web to help detect any misuse of personal or financial data, along with an insurance reimbursement policy worth $1,000,000 and fully-managed restoration of identity in case a customer falls victim to a malicious cybersecurity attack involving identity theft.
As previously reported by CasinoGamesPro, the casino giant issued a U.S. Securities and Exchange Commission (SEC) filing confirming the data theft in September. At the time of the SEC release, the company revealed that a significant number of loyalty program members were probably affected by the breach and their data stolen. Caesars Entertainment, however, had still not made a commentary on the reported ransom paid to the attackers.
Another huge casino and hotel operator – MGM Resorts – also became victim to the same cybercrime group known as Scattered Spider. As a result of the attacks, the company had to shut down its IT systems and slot machines in some Las Vegas venues.