U.S. Casinos, Regulators Face Growing Cybersecurity Challenge

The success of cyber criminals in illegally obtaining customer financial data at a number of well-known casino-resorts has led to an increasing focus by U.S. gaming regulators in the area of cybersecurity risks.

The latest casino to fall victim was the Hard Rock Hotel & Casino in Las Vegas, which was first alerted on May 13 to its second data breach after receiving reports of fraudulent activity. Investigators then discovered the malware and unauthorized POS (point of sale) network access put in place by hackers.

The company said the data break-in provided hackers with access to payment card data, including name, card number, expiration date and internal verification code, in some cases. Hard Rock said “no other information was involved.”

The company said that cards used at some retail and restaurant outlets between October 27 and March 21 could have been affected.

The number of potential cards affected was not immediately disclosed.  

“It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity,” Hard Rock, which is operated independently from namesake Hard Rock International, said in a statement. 

Law enforcement and payment card networks have been notified, and Hard Rock said it is working with cybersecurity firms to strengthen the security of its systems.

Hospitality companies, including those in Las Vegas and Atlantic City, are considered by experts to be prime targets for cyber-attacks because they handle a large volume of valuable personal and financial information.

Hard Rock faced a similar breach in May 2015 when the Las Vegas hotel announced that hackers accessed customer names, credit card numbers, expiration dates and CVV codes for credit and debit card transactions conducted between September 3, 2014 and April 2, 2015.

John Christly, chief information security officer at managed security services company Netsurion, said most data breaches can occur when hackers get remote access to customer financial data that the retailers located in the casino-resort store.   

“They don’t discover it until it is way too late,” said Christly. “[Hackers] don’t grab 1,000 credit cards a day, they may get four or five a day.”

Christly said at that rate it takes a while for a credit card company or credit union to notice that there is a pattern of fraud. 

Hard Rock also informed Nevada gaming authorities of the data breach, and regulators have launched an investigation into the incident.

“We do investigate, and our desire is to determine whether there has been a breach of any software related directly to gaming operations,” A.G. Burnett, chairman of the Nevada Gaming Control Board, told GamblingCompliance.

To date, Burnett said, that has not happened.

The Hard Rock in Las Vegas is not the only casino-resort to be the target of a recent cyber-attack. 

The Las Vegas Sands-owned Venetian and Palazzo in Las Vegas and Sands Bethlehem in Pennsylvania were hit be a significant cyber-attack in 2014 which was later linked to the Iranian government.

The FireKeepers and Four Winds tribal casinos in Michigan, as well as the Peppermill Casino in Reno, Nevada, have also all been victims of cyber crimes. 

The attacks range from people using skimming devices to get credit card numbers, to malware software being placed on a payment-card system, to email viruses being opened by employees that infect a company’s computer system.

“We do work with staff at the licensee level to determine what happened and what could have been done to prevent a breach, in addition to receiving reports from outside consultants on the event and technical details on remedial measures and what licensees are going to prevent breaches from occurring in the future,” Burnett said. 

Burnett added that Nevada requires the chief technology officer of each casino company individually to be licensed, with their responsibilities to include overseeing cybersecurity matters.

Citing increased risks of cyber-attacks, New Jersey in November began requiring Atlantic City casinos to have a specific information security officer (ISO) licensed as a key employee. 

“The division plays a significant role in cyber security by setting regulatory standards and then enforcing those standards through field audits and investigation,” said Kerry Langan, a spokeswoman for New Jersey’s Division of Gaming Enforcement (DGE).

Langan said the DGE also administers a remote analytics system to ensure the “integrity of [casinos’] data, monitor for changes to their software and scan for potential security threats.” 

According to the new rules enforced by DGE, Atlantic City casinos must designate an ISO who will be required to obtain the same kind of gaming licenses as the current heads of casinos’ surveillance and audit departments.

Langan said some of the required duties for any ISO include developing formal cybersecurity plans, as well as procedures for reviewing the effectiveness of those plans on a regular basis.

“The ISO will also be the primary point of contact for the division in the event of a cybersecurity incident,” Langan said.

The new licensing requirement was implemented about four months after a cyber-attack shut down four Atlantic City online casino gaming sites for 30 minutes over the July 4th holiday in 2015.

The online casinos were not publically identified by DGE.

The attack was followed by the threat of a more powerful and sustained attach to be initiated 24 hours later unless a Bitcoin ransom was paid. 

Langan said the attacks carried the potential to “not only negatively impact the targeted casinos but also all business in Atlantic City who share the same ISP provider.” 

She credited the DGE, plus state and federal agencies, as well as casino IT staff, with mitigating the threat with no significant disruption to service.

In Massachusetts, gaming regulators have crafted policies to deal with any potential cyber-attacks on a growing casino industry.

“If there was a data breach that [gaming regulators and law enforcement] were made aware of, we would coordinate efforts with the licensee and their IT staff and/or conduct our own independent investigation to include utilizing the state police and the attorney general’s office cyber investigative capabilities,” Elaine Driscoll, a spokeswoman for the Massachusetts Gaming Commission (MGC), said in an email to GamblingCompliance.

Driscoll said the MGC does not have “dedicated personnel for those areas.”

She added that IT personnel at casinos are required to register and obtain licensure and are subject to background investigations. 

“We have had multiple on record and off record discussion with licensees,” Burnett said of Nevada’s focus on cybersecurity risks.

“All of us are very concerned about these breaches and I believe everyone is working to alleviate threats. Unfortunately, it is very difficult and all of us have to be on high alert at all times.”