Caesars Entertainment Paid Millions to Hackers, Now Look Like Geniuses

By Scott Roeben, on September 13 2023
5 min read 11 comments
Las Vegas

As MGM Resorts continues to grapple with its cyberattack nightmare, it’s being reported Caesars Entertainment paid hackers millions of dollars to avoid a similar fate.

Bloomberg reports, “Caesars Entertainment Inc. paid tens of millions of dollars to hackers who broke into the company’s systems in recent weeks and threatened to release the company’s data.”

We shared this rumor back on Sep. 11, 2023, but it sometimes takes old-school media a minute to catch up.

Probably not the actual Caesar.

Until recently, public companies weren’t compelled to report cyberattacks, or ransoms paid to hackers, but as we shared in our story about the MGM Resorts situation, recent SEC rule changes now require they do so.

In other words, the Caesars payoff to hackers would’ve never seen the light of day, as has happened fairly regularly in the past.

Some hacks make the news, many don’t. Here’s a list of the more notable casino cyberattacks.

We got multiple messages from Caesars Entertainment guests saying systems were down at the company’s resorts, but the issues never became widespread, presumably because the ransom was paid.

Given the immense financial and P.R. disaster unfolding at MGM Resorts (they’re in a fourth day of WTF, despite public statements everything’s peachy), Caesars Entertainment’s decision is looking like pure genius.

The old “we don’t negotiate with terrorists” strategy doesn’t make a lot of sense when there’s insurance to reimburse $30 million in pocket change and you get to continue with business as usual.

Lots of companies are grappling with cybersecurity challenges at the moment, of course.

Casinos spend massive amounts of money on security, of all kinds, but the bad guys tend to be a step ahead.

The ransomware gang (ALPHV/BlackCat) that has claimed responsibility for the MGM Resorts hack has also hit Mazars Group, OilTanking GmbH, Swissport, Florida International University, University of North Carolina A&T and Seiko.

Bloomberg says Caesars Entertainment was hit by Scattered Spider or UNC 3944, possibly in conjunction with ALPHV/BlackCat.

In most cases, hackers gain access to internal systems via social engineering.

A different kind of social engineering has been used to convince several casinos to deliver cash to criminals. In those cases, scam artists targeted casino cashier employees, impersonating casino owners or executives. Human beings will always be the weak link in security systems of any kind.

The danger in paying off hackers is obvious, it encourages others to try their hand at digital extortion.

In retrospect, Caesars Entertainment appears to have done the best thing, if not the “right” thing. MGM Resorts may be fighting the good fight, but at what cost?

Update (9/13/23): Our sources say Caesars Entertainment paid $15 million to the hackers to resolve its data breach. The original demand was $30 million. (We are not making this up. Caesars talked them down like an episode of “Pawn Stars.”) An SEC disclosure is anticipated tomorrow (Sep. 14, 2023), before the market opens. It’s not anticipated the disclosure will include the ransom specifics. Steps were taken to ensure customer data was protected, and hackers did not get into the company’s operational systems. The hacker reportedly gained access to customer data through a third party company. We trust they’re fired, and should probably lawyer up. Caesars Entertainment will be jumping through all the usual hoops related to customer notification about the data breach, including letters informing customers their data was compromised, and providing credit monitoring services.

Update (9/14/23): As we shared previously, Caesars Entertainment has filed its disclosure document with the SEC. See it here. We shall cut and paste the content of their Form 8-K so it looks like we exerted effort.

“Caesars Entertainment, Inc. (the ‘Company,’ ‘we,’ or ‘our’) recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company. Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.

“After detecting the suspicious activity, we quickly activated our incident response protocols and implemented a series of containment and remediation measures to reinforce the security of our information technology network. We also launched an investigation, engaged leading cybersecurity firms to assist, and notified law enforcement and state gaming regulators. As a result of our investigation, on September 7, 2023, we determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database. We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor. We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program. To sign up for these services, members may call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.

“Additionally, we will be notifying individuals affected by this incident consistent with our legal obligations. These notifications will be made on a rolling basis in the coming weeks. In the meantime, individuals with questions may contact the dedicated incident response line we have established to address questions about this incident, which can be reached at (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.

“While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents. These efforts are ongoing. We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems.

“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined. Although we are unable to predict the full impact of this incident on guest behavior in the future, including whether a change in our guests’ behavior could negatively impact our financial condition and results of operations on an ongoing basis, we currently do not expect that it will have a material effect on the Company’s financial condition and results of operations.

“The trust of our valued guests and members is deeply important to us, and we regret any concern or inconvenience this may cause.

“For additional information, please visit https://response.idx.us/caesars. Information set forth on that website is not incorporated herein by reference.”

Update (9/14/23): Seriously.

Update (9/19/23): It appears the third party vendor was Okta. An official for the company said hackers used the company’s technology as an “access vector.”

Update (9/20/23): You can hear us talk about the Caesars Entertainment and MGM Resorts hacks on City Cast, a Las Vegas podcast.

Update (9/29/23): John Roskoph, SVP of Strategy, Infrastructure and CyberSecurity for Caesars Entertainment has left the company to pursue other opportunities.