The casino and hotel company MGM Resorts has dealt with widespread system outages and service disruptions at its properties in Las Vegas and elsewhere this week following a cyberattack that the company has been scrambling to contain. Meanwhile, Caesars Entertainment said in a United States regulatory filing on Thursday that it suffered a recent data breach in which many of its loyalty program members’ Social Security numbers and driver’s license numbers were stolen, along with other personal data.
The two high-profile incidents have drawn scrutiny this week, with MGM customers reporting sporadic keycard issues in the company’s hotels, slot machines gone dark, ATMs out of order, and other difficulties staying at MGM properties and cashing out winnings. After Bloomberg broke the news on Wednesday about the Caesars breach, The Wall Street Journal reported on Thursday that Caesars had paid roughly half of the $30 million its attackers demanded in exchange for a promise that they wouldn’t release stolen customer data. While both are significant, experts emphasize that the fallout from this pair of prominent hacks fits into a broader context of ransomware attacks as a ubiquitous, unrelenting, and inveterate threat.
The recent spate of casino hacks fits into a larger cycle in which certain cyberattacks bring a lot of attention to digital threats and even spur governments to act. Ultimately, ransomware and data extortion attacks settle into the background again, even as they continue to wreak havoc and impact vulnerable populations.
“Attacks against casinos are dramatic and draw attention. We have whole movie and TV franchises about casino heists,” says Lesley Carhart, director of incident response at the industrial-control security firm Dragos. Still, “a lot of life-impacting attacks on critical infrastructure and health care occur far less visibly, and therefore, they aren’t an easy draw for mass media. I do not think this is an issue with cybersecurity or even media in its entirety—it is a human psychology issue. We’ve had that problem for a long time in the industrial-control system cybersecurity space where attacks could really mean life or death, but are not a great story.”
An affiliate of the notorious ransomware group Alphv, a Russia-based gang that is also known as BlackCat, claimed responsibility this week for the MGM attack. The group denied involvement in the Caesars hack. Casinos have long been a target for attackers because they make a lot of money, hold potentially valuable customer data, and historically haven’t always been well secured. MGM itself suffered a breach in 2019 in which more than 10.6 million hotel customers had their data stolen and ultimately published online by hackers.
But Alphv is known for being a prolific and ruthless attacker even when its hacks aren’t garnering constant coverage and discussion. As many cybercriminals do when they are looking to extort money from victims, the gang has targeted health care organizations and other critical institutions that hold sensitive data. Alphv has even been known to release samples of stolen data, like intimate and graphic medical photos, in an attempt to pressure targets into paying their ransom.