A recent Wendy’s hack exposed the credit card information of many of its customers. Coming on the heels of attacks on data ranging from infidelity dating site Ashley Madison to drug chain CVS to the U.S. government’s Office of Personnel Management, the Wendy’s breach is a reminder that our sensitive data isn’t as secure as we’d like it to be. Casino operators face challenges in keeping customer data safe, but they have a range of tools to help them.
In the Wendy’s hack, like many other breaches that make the news, payment data including cardholder name, card number and expiration date—the things you need to make a purchase—were stolen from more than a thousand stores (including three in Northern Nevada but none in Las Vegas).
The prospect of similar breaches of casino data—which can include not only credit card details, but also sensitive personal and financial information—has long been a concern in Nevada. More than five years ago (“Serious About Cyber Security,” January 13, 2011), the Nevada Gaming Control Board circulated a letter intended “as a reminder for all affected licensees to conduct periodic reviews of security measures in place” and ensure compliance with the state’s breach disclosure provisions. Further, it indicated that failure to comply with all federal, state and local laws mandating strong cyber security may be determined, in the Commission’s judgment, “an unsuitable method of operation,” an extremely unpleasant prospect for a licensee.
The most serious attack to date on a casino operator was the February 2014 hack of Las Vegas Sands Corp., owner of the Venetian and the Palazzo. After a concerted effort, saboteurs unleashed a malware bomb that swept through the company’s IT system. The assault, allegedly perpetrated by Iranian “hacktivists,” resulted in a massive crash in the company’s computers in Las Vegas and Bethlehem, Pennsylvania (where it owns the Sands Bethlehem).
Thousands of files were compromised in the attack, including customer and employee data. Then-CEO Michael Leven estimated the damage at more than $40 million. The breach has not resulted in any regulatory action or claims against Sands, but it highlights just how important cyber security is, and how costly breaches can be.
Disturbingly, the Sands attack is only the tip of the iceberg for the disaster potential of future attacks. The same innovation that demands casinos offer customers new ways to play and connect makes them extremely vulnerable.
“If you have an online gaming site,” says Curtis Levinson, director of cyber security consulting for White Sand Gaming, “you are advertising, ‘Hack me.’ If you are a casino providing guest Wi-Fi, you are advertising, ‘Hack me.’”
“It really is everything,” White Sand CEO Sal Scheri says. “You have guests using Wi-Fi and employees, too. Once you gain access, you can get into everything, including internal systems and customer information.”
Free Wi-Fi—a welcome perk for most of us—is dangerous because cyber criminals can use it to capture data transmitted, which can include phone numbers, log-in data and passwords. In his executive protection practice, Levinson recommends that traveling business leaders never, under any circumstances, use a public Wi-Fi network, but instead use their phones to set up their own hot spots. He advises all travelers do the same.
The ease and ubiquity of Wi-Fi hot spots, though, create more vulnerabilities for casinos. Levinson describes a scenario in which cyber criminals can hook a commercially available hot spot up to battery packs, surreptitiously install it on a casino floor and set it to vacuum up cellular and Wi-Fi data. “That includes,” he says, “cell numbers, conversations, any data sent and passwords.” Criminals can also use these hot spots to hack casino systems.
This kind of malfeasance can be combatted; Levinson recommends that casinos do regular wireless site surveys, which reveal everything. “You can sit in the surveillance room and watch the hot spots bloom all over the casino,” he says.
The key to preventing attacks is good procedure; businesses can mitigate the harm of ransomware attacks (in which hackers compromise systems and demand payment to restore access) by developing good business continuity and disaster recovery protocols. If backup and recovery procedures are good enough, casinos need never pay a ransom; they simply wipe their systems and restore them.
With the costs of compromised data and lost operations so high, Levinson advises casinos—and customers—to make cyber security a priority before the next big hack. With escalating stakes and rapidly advancing technology, it is certain that cyberspace will continue to be a battleground.
David G. Schwartz is the director of UNLV’s Center for Gaming Research.
