Hackers are gravitating from phishing to fish tanks, according to a cybersecurity expert, who related this week how criminals were able to steal a casino’s high-roller database by gaining access to its computer network via a smart thermostat in its tropical aquarium.

Casino fish tank

Cyber attackers were able to breach an unnamed Las Vegas casino’s security via its fish tank, such as the one seen here at the Silverton, which happens to have mermaids swimming in it. (Image: Silverton Casino)

Speaking at the WSJ CEO Council Conference in London, Nicole Eagan, the CEO of cyber defense company Darktrace, said that once the hackers had breached the system of the unnamed Las Vegas casino they were able to “pull [the database] back across the network, out the thermostat, and up to the cloud.”

News of the casino fish tank heist came amid warnings that hackers are increasingly targeting “internet of things” (IOT) devices to find their way into corporate networks. As internet-connected smart gadgets and appliances become more common, they are creating more weak links in corporate security, said Egan.

Monster Botnet

In 2016, the virulent Mirai botnet was able to harness the power of thousands of IOT devices across the world to launch the most powerful distributed denial of service (DDoS) attack ever recorded.

DDoS attacks cripple a company’s servers with thousands or requests for information and are typically accompanied by a ransom demand to restore normal services.

Mirai took out a large corner of the internet when it targeted Dyn, a company that controls much of the web’s DNS infrastructure. Major websites like Twitter, Netflix and CNN website were temporarily knocked offline by the assault.

Online gaming websites have long been targets for ransomed DDoS attacks, but hackers intent on stealing data are increasingly turning to land-based casinos in search of the financial details of wealthy patrons.

Hard Hit Hard Rock

The Hard Rock Las Vegas, among others, has been embarrassed by a series of breaches in recent years. Since May 2015, hackers have, on three separate occasions, been able to steal cardholder names, credit card numbers, and CVV codes from Hard Rock customers.

Also on the panel in London was Robert Hannigan, who ran the British government’s digital-spying agency, Government Communications Headquarters (GCHQ), from 2014 to 2017. He called for more regulation to establish a framework of safety standards for IOTs.

“With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem,” Hannigan said. “I saw a bank that had been hacked through its CCTV cameras, because these devices are bought purely on cost.

“It’s probably one area where there’ll likely need to be regulation for minimum security standards, because the market isn’t going to correct itself,” he added. “The problem is these devices still work – the fish tank or the CCTV camera still work.”