As MGM Resorts continues to grapple with its cyberattack nightmare, it’s being reported Caesars Entertainment paid hackers millions of dollars to avoid a similar fate.
Bloomberg reports, “Caesars Entertainment Inc. paid tens of millions of dollars to hackers who broke into the company’s systems in recent weeks and threatened to release the company’s data.”
We shared this rumor back on Sep. 11, 2023, but it sometimes takes old-school media a minute to catch up.
Until recently, public companies weren’t compelled to report cyberattacks, or ransoms paid to hackers, but as we shared in our story about the MGM Resorts situation, recent SEC rule changes now require they do so.
In other words, the Caesars payoff to hackers would’ve never seen the light of day, as has happened fairly regularly in the past.
Some hacks make the news, many don’t. Here’s a list of the more notable casino cyberattacks.
We got multiple messages from Caesars Entertainment guests saying systems were down at the company’s resorts, but the issues never became widespread, presumably because the ransom was paid.
Given the immense financial and P.R. disaster unfolding at MGM Resorts (they’re in a fourth day of WTF, despite public statements everything’s peachy), Caesars Entertainment’s decision is looking like pure genius.
The old “we don’t negotiate with terrorists” strategy doesn’t make a lot of sense when there’s insurance to reimburse $30 million in pocket change and you get to continue with business as usual.
Lots of companies are grappling with cybersecurity challenges at the moment, of course.
Casinos spend massive amounts of money on security, of all kinds, but the bad guys tend to be a step ahead.
The ransomware gang (ALPHV/BlackCat) that has claimed responsibility for the MGM Resorts hack has also hit Mazars Group, OilTanking GmbH, Swissport, Florida International University, University of North Carolina A&T and Seiko.
Bloomberg says Caesars Entertainment was hit by Scattered Spider or UNC 3944, possibly in conjunction with ALPHV/BlackCat.
In most cases, hackers gain access to internal systems via social engineering.
A different kind of social engineering has been used to convince several casinos to deliver cash to criminals. In those cases, scam artists targeted casino cashier employees, impersonating casino owners or executives. Human beings will always be the weak link in security systems of any kind.
The danger in paying off hackers is obvious, it encourages others to try their hand at digital extortion.
In retrospect, Caesars Entertainment appears to have done the best thing, if not the “right” thing. MGM Resorts may be fighting the good fight, but at what cost?
Update (9/13/23): Our sources say Caesars Entertainment paid $15 million to the hackers to resolve its data breach. The original demand was $30 million. (We are not making this up. Caesars talked them down like an episode of “Pawn Stars.”) An SEC disclosure is anticipated tomorrow (Sep. 14, 2023), before the market opens. It’s not anticipated the disclosure will include the ransom specifics. Steps were taken to ensure customer data was protected, and hackers did not get into the company’s operational systems. The hacker reportedly gained access to customer data through a third party company. We trust they’re fired, and should probably lawyer up. Caesars Entertainment will be jumping through all the usual hoops related to customer notification about the data breach, including letters informing customers their data was compromised, and providing credit monitoring services.