What Happens in Vegas Doesn’t Always Stay in Vegas: Is Your Data Being Protected?

by Sarah Harvey / April 16th, 2019

What do cities like Las Vegas, Atlantic City, Monte Carlo, and Macau all have in common? They’re some of the most lucrative cities in the world for gambling, which means that they all are at risk for data breaches. Whether it’s the casinos themselves or the hotels connected to the casinos, there are sensitive assets to be stolen. Let’s take a look at why the gaming industry is at such a high-risk for data breaches and how your business can prepare.

Cybersecurity Threats to the Gaming Industry

The gaming industry has earned a reputation for strict, effective physical security, but what about cybersecurity? What data is being collected about players? How is it being stored? Who is protecting that data? Many people visit casinos because there’s a certain level of privacy that’s widely expected and provided; players feel that they can gamble and enjoy the allure of casinos without their identity being compromised. However, malicious hackers have no regard for privacy and will do everything they can to compromise sensitive data.

Consider the following regarding casino data security, for example. If a casino is connected to a hotel, what would happen if the networks weren’t segmented properly? A hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, the ability to manipulate odds, see payout information for each machine, alter rewards information, or worse. Not to mention, because casinos are often connected to hotels, restaurants, bars, and retail stores, they’re introduced to even more cyber threats. Point-of-sale systems, ATM machines, employees – they’re all vulnerable.

Staying Protected in the Gaming Industry

We know that the large amounts of sensitive data, especially financial information, available at casinos makes them that much more susceptible to cyber-attacks. That’s why securing the sensitive data of players is critical to ensuring the longevity of the casino industry. If players can’t expect their data to be protected or they feel that they’re at risk to be exposed, why would they continue gambling at your location? In order to secure the data that fuels the casino industry, there are a few proactive steps that casinos can implement.

Penetration Testing: Penetration testing, or ethical hacking, gives organizations insights into their security posture by showing them their security strengths and weaknesses through simulated yet real-world exercises. This means that organizations are then able to risk-rank security vulnerabilities and remediate accordingly, potentially preventing cyber-attacks before they happen.
Security Awareness Training: Like with all industries, employees pose one of the biggest threats to security at casinos. Whether it’s a blackjack dealer, bartender, or front desk receptionist, all employees are at risk for falling for cyber attacks. Implementing security awareness training for casino personnel will help employees identify, report, and prevent attacks from occurring.
Incident Response Plan Training: It’s only a matter of when not if, cyber-attacks will occur and casinos must be prepared. Having an effective incident response plan in place is critical but practicing that incident response plan is equally as important. When an attack occurs, the incident response plan must be executed flawlessly, because if not, there could be cost implications. Conducting regular incident response plan training should be a top priority among casinos.
Cyber Insurance: Because the average cost of a data breach is upwards of $4 million, in the event that a data breach or security incident does occur, casinos and other gaming institutions would be wise to have a cyber insurance policy that covers first-party coverages, such as coverages directly impacting the casino as a result of a data breach like loss of sensitive data, and third-party coverages, such as claims of other parties impacted by a data breach.

Case Study: Hard Rock Hotel & Casino Las Vegas

Over the last few years, the Hard Rock Hotel & Casino Las Vegas experienced a series of data breaches caused by hackers gaining unauthorized POS network access and installing POS scraping malware. Payment card information, including cardholder names, credit card numbers, and CVV codes were stolen. Though each data breach in the series of security incidents was slightly different, they each underscore the necessity for casinos, and especially resorts with numerous amenities, to implement a robust cybersecurity program that segments each part of the resort from each other. In Hard Rock’s case, only the hotel portion of the resort was impacted during the first breach in 2015. In 2016, however, the entire resort was impacted by malware.

While casino heists and hacks are often portrayed in Hollywood films, there’s nothing fictional about the threat of cyber attacks to casinos. Malicious hackers are creative and cunning, and their attacks are only getting more sophisticated. If your organization is committed to remaining secure in the gaming industry, don’t gamble on cybersecurity. Contact us today to learn how our audit, penetration testing, and consulting services can help keep you and your players secure.