A cyber security expert warned that tribal and smaller casinos are letting their guard down if don’t think they’re vulnerable to hacking of customers’ credit card and other personal information.
Gus Fritschie, chief technology officer of Northern Virginia-based SeNet International, an IT cyber security services firm, kicked off the 19th annual TribalNet conference and trade show at the Hard Rock Hotel & Casino in Las Vegas Monday with a workshop on hacking and computer forensics.
Gus Fritschie
The casino industry is not immune to cyber-attacks that have plagued major retailers over the years. In 2014, hackers, later determined to be Iranians, targeted Las Vegas Sands Corp. and stole credit card data, Social Security numbers and driver’s license numbers of customers. Hard drives were also wiped, and the company’s corporate website was defaced.
In 2015 and 2016, Hard Rock reported data breaches that targeted credit cards. In 2013, Affinity Gaming said its credit card system was breached in 12 casinos in four states. In 2017, reports surfaced of an unnamed North American casino targeted by hackers through a fish tank thermostat.
Fritschie said some breaches in the casino industry and other businesses go unreported.
“For everyone you hear about in the news just like any other sector, there’s 10 others you don’t hear about because it doesn’t reach that level or you’re able to keep it confidential,” Fritschie said. “For these organizations, it’s not in their best interest to publicize unless they have to. That’s why you see more and more of these notification laws being passed at the state level.”
The public perception of casinos is surveillance cameras, guards and game protection, and that’s something they do well, Fritschie said. IT security, however, is something several casinos are behind the curve on compared to other industries. It’s hard to show a return on investment for IT security unless there’s a breach.
“You have to look no further than the Las Vegas Sands where one of the largest gaming organizations in the world suffered a catastrophic breach with a fundamental flaw in their IT security program and protections and controls that allowed these Iranian hacktivists to gain access into their network,” Fritschie said. “The total cost was in the millions of millions of dollars.”
No one should get the impression, however, of what they see on the news when the Chinese are behind a target attack or some other big actor, Fritschie said.
“With a large majority of these breaches they could care less whether it’s a random tribe in Arizona or water utility company in Minnesota,” Fritschie said. “They are randomly seeing where vulnerabilities are and potential holes to be breached to make money. Some tribal casinos think they’re so small, and that no one is going to target us.”
One of the problems for the casino industry are vendor applications, programs and software from major gaming manufacturers with platforms that only work on certain operating systems. Fritschie said casinos would like to upgrade their systems but can’t because the vendor’s software isn’t supported on a new, safer and more secure operating system.
“I think what happened with the Sands woke people up to the nature of the players,” said Fritschie, who works with MGM Resorts International and Caesars Entertainment. Large gaming organizations, he said, are committed to securing their systems.
“The risk and the concern are for these smaller operators, and when you get down to the tribal level there is even more concern,” Fritschie said. “Unfortunately tribes, even more so than commercial casinos, have more issues with budgets and getting qualified staff that understand how to secure these environments.”
The largest tribes are the best positioned, but many tribal casinos have other priorities, such as development projects, and say they don’t have the funds, Fritschie said. It’s easier to show management something that generates revenue instead, he added.
“The majority of IT people agree with us, but with the tribal leadership or (a) board it takes convincing in order to spend that money,” Fritschie said. “I’ve had some IT leaders tell me we would rather not know what the problems are because they can tell their supervisors there are no issues.”
Security assessments to identify risks and vulnerabilities and make recommendations can cost anywhere from $10,000 to more than $100,000, Fritschie said. For most tribes, it would cost $10,000 to $25,000.
Some of the remediation is software patches by staff or installation of software to stop attacks. Much of the cost is having full-time staff monitor and investigate and stay on top of compliance, he said.
“That is where tribal casinos suffer sometimes because they have issues getting the right candidates to live and want to work there and be able to pay enough,” Fritschie said.
TribalNet CEO Mike Day said a cyber breach of customer data is an issue tribes and casinos fear. He said the workshop also was intended to show what to do once they’ve been breached and about to land on the front page of the newspaper.
“What do you need to do to remediate it, close the holes as quickly as possible and what to do not just from a technology standpoint but a public relations standpoint,” Day said.
