LAS VEGAS — Casino company Caesars Entertainment on Thursday joined Las Vegas gambling rival MGM Resorts International in reporting that it was hit by a cyber attack, but added in a report to federal regulators that its casino and online operations were not disrupted.
The Reno-based publicly traded company told the federal Securities and Exchange Commission it could not guarantee the personal information of tens of thousands of customers was safe after a Sept. 7 data breach that may have exposed driver’s licenses and Social Security numbers of loyalty rewards members.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor,” the company said, “although we cannot guarantee this outcome.”
Brett Callow, threat analyst for New Zealand-based cybersecurity firm Emsisoft, said it was not clear whether a ransom was paid or who was responsible for the intrusion — and for the attack reported Monday by MGM Resorts.
“Unofficially, we saw a group called the Scattered Spider claim responsibility,” Callow said. “They appear to be native English speakers under the umbrella of a Russian-based operation called ALPHV or BlackCat.”
Scattered Spider is also known as UNC3944, said Charles Carmakal, chief technical officer at cybersecurity firm Mandiant. He called the group “incredibly disruptive and aggressive” in recent targeting of hospitality and entertainment organizations.
“They exploit crafting that is challenging for many organizations with mature security programs to defend against,” Carmakal said in a statement.
Mandiant said in a blog analysis published Thursday that the group uses SMS phishing and phone calls to help desks to try to get password resets or multi-factor bypass codes.
“This relatively new player in the ransomware industry has hit at least 100 organizations, most of them in the United States and Canada,” Mandiant said.
Caesars is the largest casino owner in the world with more than 65 million Caesars Rewards members and properties in 18 states and Canada under the Caesars, Harrah’s, Horseshoe and Eldorado brands. It also has mobile and online operations and sports betting. Company officials did not respond to emailed questions from The Associated Press.
The company told the SEC that loyalty program customers were offered credit monitoring and identity theft protection.
There was no evidence that the intruder obtained member passwords or bank account and debit card information, the company reported, adding that operations at casinos and online “have not been affected by this incident and are continuing without interruption.”
The Caesars disclosure came after MGM Resorts International, the largest casino company in Las Vegas, publicly reported Monday that a cyber attack it discovered Sunday led it to shut down computer systems at its properties across the United States to protect data .
MGM Resorts said reservations and casino floors in Las Vegas and other states were affected. Customers shared stories on social media of being unable to make credit card transactions, get money from ATMs or get into hotel rooms. Some video game machines were dark.
MGM Resorts has about 40 million loyalty rewards and tens of thousands of hotel rooms in Las Vegas at properties including the MGM Grand, Bellagio, Aria and Mandalay Bay. It also operates properties in China and Macau.
A company filing Tuesday with the SEC pointed to its Monday news release. The FBI said an investigation was ongoing but offered no further information.
Some MGM Resorts computer systems were still down Thursday, including hotel reservations and payroll. But company spokesman Brian Ahern said its 75,000 employees in the US and overseas were expected to be paid on time.
Callow, speaking by phone from British Columbia, Canada, called most media accounts of the incidents speculative because information appeared to come from the same entities that claim to have carried out the attacks. He said recovery from cyber attacks can take months.
Callow pointed to reports, which he called “plausible,” that Caesars Entertainment was asked to pay $30 million for a promise to secure its data and may have paid $15 million. He also noted that the company did not describe in the SEC report the steps taken to ensure that the stolen data was secure.
The highest ransom believed to have been paid to cyber attackers was $40 million by insurance giant CNA Financial, Callow said, following a data breach in March 2021.
“In these cases, organizations are basically paying to get a ‘pinky promise,'” he said. “There’s no way of knowing that (hackers) will delete (stolen data) or that it won’t be used elsewhere.”