How the cybersecurity threat landscape has changed and evolved in casinos

With the exponential growth in the casino industry for on-ground and online betting, the industry has become a target for bad actors. According to Technavio’s latest U.S. market research, the industry is estimated to grow by $11.42 billion between 2021 and 2025. With billions of dollars at stake, bad actors are looking for any way to monetize attacks on casino gaming organizations. From ransom-related distributed denial of service attacks (RDDoS) to the exfiltration of customer data, casino operators must constantly be vigilant in protecting systems and data.

The threat landscape over the past 18 months has significantly changed in complexity and frequency of attacks. Long gone are the days when a lone wolf attacker was manually knocking at the door. Threats range from nation-state attacks to attacks as a service, in which very organized and sophisticated teams use automated tools and bots to scour networks, looking for a way to hack in through a variety of methods that range from social engineering and email to brute force attacks on the network. Organizations are getting hit millions of times a day, and all it takes is one careless user or unpatched vulnerability to start the cascading events of a ransomware attack or the exfiltration of customer data that can later be monetized either through a ransom threat or on the dark web.

These challenges become more complicated as the technology surrounding the industry has changed. Ten years ago, on-premises operations were the norm, but now threats are sprawled across the internet in gaming, block-chain-based games, online sports betting, mobile payments and mobile games. This complicated mix of on-premises and cloud environments that third-party organizations often provide has created vulnerabilities at every corner. Although there is little published data on casino breaches, they are happening. One of the most famous breaches was a Las Vegas organization whose player tracking database was exfiltrated off the trusted network through an IoT thermometer in a fish tank back in 2018. Since then, the frequency and scope of cyberattacks have significantly increased. From MGM in Las Vegas to Lucky Star in Oklahoma, casino systems are being breached and data is being exfiltrated and locked down with ransomware, leaving organizations unable to operate until significant efforts in system restoration have taken place.

The evolution of the environment and attack strategies used is rapidly changing over time. Ransomware, distributed denial of service attacks with a ransom attached, and theft of customer data continue to lead the types of attacks. Hackers can monetize player tracking databases quickly due to the quality of the personal data contained in those records. Casinos face loss of reputation and customer confidence if the data they collect somehow ends up on the dark web. This can have a considerable impact on organizations, ranging from loss of revenue to decreased shareholder value. The erosion of customer trust can take years to rebuild and cost organizations millions of dollars in lost revenue.

According to Forbes, the casino industry revenue will surpass the $44B mark in 2021. Why wouldn’t the casino industry draw the attention of bad actors? It is not a matter of if the organization will eventually be hit; it is only a matter of when. The only difference between one organization and another is how prepared the organization is for an attack and how long it takes to respond to the incident once the cards are dealt. Organizations with strong, layered defense strategies that practice incident response plans, understand their third-party risk and conduct disaster recovery simulations throughout the year have a much higher chance of success in the business resumption process. Those casinos who fail to prepare a solid cybersecurity incident response plan roll the dice and take the chance that weeks of downtime could be a reality in the future. Just ask those organizations who have had to post signs like “Computer Systems are Down. Cash Only” what it was like after being down for several weeks.

With millions of dollars on the line, the casino industry is a target, and the threat landscape continues to grow. The real question is, how will the industry continue to respond to the changing threats?

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

Stephanie Benoit-Kurtz is lead Area Faculty Chair for Cybersecurity Programs at the University of Phoenix Las Vegas Campus and Principal Security Consultant at Trace3.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.