Two West Coast tribal casinos shared their experiences of cyberattacks that shuttered their properties for two to three weeks in 2020 to provide insights to other operators and prevent it from happening to them.
During a session Wednesday at the TribalNet Conference & Tradeshow in Reno, Chad Dixson, the MIS network manager for the Yavapai-Prescott Indian Tribe in northern Arizona, which operates the Bucky’s and Yavapai casinos, and Stephen Bailey, vice president of IT at the Cache Creek Casino Resort in northern California, shared their tribes’ experiences.
The Yavapai tribe’s two casinos were shuttered for two weeks in October 2020. They didn’t reopen until they made a ransomware payment to have their encrypted data returned.
Cache Creek sustained a ransomware attack and closed for three weeks, starting in September 2020.
“Most of the organization has PTSD because of it,” said Bailey, who came on board about 18 months ago. “We’re still doing a lot of remediation because of it.”
Before he joined Cache Creek, Bailey worked at the Venetian in Las Vegas, which was breached in 2014; when he started working there in 2017, the casino was still remediating from that cyberattack.
“Work is never done in this space and you need to continue to focus on it,” Bailey said.
Dixson said his tribe obtained cyber insurance in June 2020 that helped cover lost revenue and pay. But insurance is no longer as inexpensive as it once was and Yavapai-Prescott didn’t get its insurance renewed. It was replaced, but at more than five times the previous price.
“Cyber insurance can help you, but the insurance companies are tightening the screws on us,” Dixson said. “Not only are the rates getting higher, but it’s harder to qualify. If you can make it through the qualifications to get cyber insurance, you’ll be in a really good place in terms of your baseline for cyber security. The insurance companies will go over everything with a fine-tooth comb.”
Dixson said it’s impossible to stop cyberattacks in their entirety, but casinos can go a long way toward defending against them. Partnering with an auditing firm that knows information technology, for example, helps uncover weaknesses that can be addressed.
After the attack at Cache Creek, Bailey said they had a third-party assessment completed. They learned they had a lot to work on and developed a roadmap to address the weaknesses.
“Our situation was that an outsider was able to get access to our internal systems and take them down,” Bailey said. “We felt it was important to have conditional access and that only employees could access company information from company-issued devices. Having malware protection was important and we had proper monitoring in place. It’s going to take years for us to get our infrastructure to a state where we feel it’s more secure. While we’re doing that, we have to make sure we monitor things 24/7, so if somebody does attempt to breach us again, hopefully we catch them before it impacts our business.”
Reese Weber, chief information security and privacy officer at the Indian Health Service, California area, said she knows of three tribes hit by ransomware attacks in the last two years, all of which were penetrated through email. All three breaches could have been avoided with solutions that notified them of a problem before it occurred, she said.
“Ransomware is not always the actual crime,” Weber said. “The crime has already happened and they’ve implemented ransomware to obscure that they have taken data from your network. If you can afford it – some solutions can be expensive – they can make the difference in catching it before it happens. It takes so long to recover from, plus a lot of money and labor. Even if you have cyber insurance, everything is disrupted.”
Dixson said they learned some difficult lessons about not being prepared for a ransomware attack. The options were to either start from scratch or pay the hacker’s demand, but it didn’t take long before they decided to pay out. He would not disclose the amount.
“The longer you can wait, the less the ransom becomes,” Dixson said. “The bad guys get antsy. They ask for astronomical numbers in Bitcoin, but each day the ransom decreases by quite a bit.”
While some suggest not paying, Dixson said sometimes you don’t have a choice.
“It’s a gamble, because when you get that encryption key, you have no idea if it’s really going to work,” Dixson said. “We were told by one of the partners (the insurance company) brought to us that the gang we were working with were ‘honest criminals.’ Their tools work, and they did for us.”
Weber said in healthcare cases where ransoms are paid out, the Department of Health and Human Services will fine operators because that’s protected information. “You pay twice,” he said, “to the criminal and then the government.”
