Hackers stole Social Security numbers and driver’s license numbers from a “significant number” of loyalty program customers of Caesars Entertainment, the hospitality and casino giant said Thursday.
The disclosure comes as another big Las Vegas brand, MGM Resorts, is recovering from its own apparent cyberattack in which guests on Monday reported being unable to make room charges and access their rooms with their digital keys.
The pair of hacks has put a spotlight on the computer defenses of the multibillion-dollar casino and hospitality business in Las Vegas, which are ripe targets for cybercriminals to extort.
Caesars Entertainment, which owns famous hotel-casinos such as Caesars Palace, confirmed on September 7 that the hackers had stolen a copy of the customer loyalty program database, in a filing with the Securities and Exchange Commission. The hackers broke into computer systems via “a social engineering attack” on an IT support contractor, according to the filing.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars Entertainment said. The company did not immediately respond to CNN’s questions as to what steps were taken and whether they included paying a ransom.
For its part, MGM Resorts has repeatedly referred to a “cybersecurity issue” in describing the disruption to some of its computer systems, but the incident has the hallmarks of a cyberattack.
“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” MGM Resorts said in a statement on Thursday morning. The company said on Monday, when news of the incident broke, that it had shut down certain computer systems to protect its data.
MGM Resorts did not respond to multiple requests for comment from CNN this week on how it was dealing with the apparent hack.
An FBI spokesperson said the bureau was investigating the cybersecurity incident at MGM Resorts but declined further comment, citing an ongoing investigation.
Scattered Spider considered a ‘serious threat’
It’s unclear who exactly was responsible for the cyberattacks. But a cybercriminal group known in the industry as Scattered Spider has been targeting casinos and hotels in recent weeks, according to Mandiant Consulting, a Google-owned cybersecurity firm.
Members of the hacking group “may be less experienced and younger” than many of the established cybercriminal gangs and state-backed cyber-espionage teams, but “they are a serious threat to large organizations in the United States,” said Charles Carmakal, Mandiant Consulting’s chief technology officer.
Some of the members of the group appear to be based in the United States and the United Kingdom, according to Carmakal and other sources interviewed by CNN. Bloomberg News reported on Wednesday that Scattered Spider was responsible for the pair of cyberattacks on Caesars Entertainment and MGM Resorts.
Reports that the hackers had used social-engineering techniques in which, for example, they pose as an IT support employee to gain access to an organization, raised concerns for cybersecurity experts.
“Most organizations focus on email-based threats in their technical tools and protocols,” Rachel Tobac, CEO of SocialProof Security, a social-engineering prevention firm, told CNN. “Many [organizations] are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone-based attacker in the act.”