Caesars’ Rewards Database Targeted by Hackers, Says Company

Posted on: September 14, 2023, 11:33h. 

Last updated on: September 16, 2023, 11:59h.

Caesars Entertainment (NASDAQ: CZR) confirmed today that it was recently the victim of a cyber attack and that the bad actors targeted the Caesars Rewards database, among other data troves, held by the gaming company.

Caesars Debt
Caesars Palace on the Las Vegas Strip. The operator confirmed it was the target of a cyber attack and that hackers stole data from the Caesars Rewards database. (Image: Getty Images)

The casino operator revealed in a Form 8-K filing with the Securities and Exchange Commission (SEC), corroborating recent speculation that it dealt with a negative cyber event days before rival MGM Resorts International (NYSE: MGM) faced similar issues. Rumors surfaced that Caesars paid the hacking group “Scattered Spider,” or UNC 3944, $30 million. In the filing, the operator didn’t confirm that amount, nor did it mention the group by name, but implied it may have incurred expenses related to the hack.

We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” according to the 8-K. “The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”

The SEC recently instituted guidelines requiring public companies to make disclosures to investors regarding “material” events, such as fires at factories, storms hampering operations and cyber attacks.

Caesars Rewards Database Jackpot for Hackers

Caesars Rewards has over 65 million members, making it the gaming industry’s largest loyalty program, making it a compelling target for cyber criminals.

In the regulatory filing, the gaming company confirmed the perpetrators acquired sensitive data, including driver’s license and Social Security numbers, “for a significant number of members in the database.” Caesars added that, as of yet, there is no evidence that the hackers acquired member PINs, bank account data or payment card numbers.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” added the Harrah’s operator in the SEC filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”

As a result of the cyber infiltration, Caesars is offering free credit monitoring services to customers. That can be obtained by calling (888) 652-1580.

Caesars Ransomware May Not Be ‘Material’

“Material” is a subjective term. Assuming that Caesars paid $30 million to “Scattered Spider” — the gaming company did not confirm that –that’s a small amount for a company with a market capitalization of $11.27 billion.

Ransomware acts must be disclosed, and while the full scope of what Caesars dealt with isn’t immediately clear, the operator isn’t characterizing the event as catastrophic.

“Although we are unable to predict the full impact of this incident on guest behavior in the future, including whether a change in our guests’ behavior could negatively impact our financial condition and results of operations on an ongoing basis, we currently do not expect that it will have a material effect on the Company’s financial condition and results of operations,” it concluded in the regulatory document.