Two prominent gaming operators, Caesars Entertainment and MGM Resorts International, are facing a total of nine federal lawsuits in the wake of cyberattacks that occurred in September 2023. The attacks, allegedly involving ALPHV and Scattered Spider, exposed sensitive personal information of thousands of customers, disrupted operations for one of the companies, and may have also affected three other firms, per a Reuters report.
Caesars Entertainment disclosed a social engineering attack on September 14th in a Securities and Exchange Commission filing. The investigation determined that an attacker gained access to a copy of the Caesars Rewards loyalty program database, which contained driver’s licenses and Social Security numbers.
MGM Resorts International also experienced a data breach beginning on September 10th. Hackers reportedly used similar social engineering tactics to infiltrate the company’s systems and download highly sensitive personal information of thousands of MGM customers.
These cyberattacks not only exposed sensitive data but also caused operational disruptions for Caesars Entertainment. The company’s online booking system and mobile app were unavailable for several days, impacting customer experience and potentially leading to lost revenue.
According to a credible source cited by CNBC, the cybercrime group responsible for the attack demanded $30 million from Caesars Entertainment. However, the operator agreed to pay half around $15 million to resolve the ransomware issue.
What we cover
Caesars, MGM Face Mounting Legal Battle after September Cyberattacks
In response to the data breaches and potential harm caused, customers and privacy activists have filed a series of lawsuits in New York, Illinois, and Nevada against both Caesars Entertainment and MGM Resorts International. As the details emerge, it’s clear the two gaming companies now face a complex, multi-faceted battle in the courts.
The first lawsuits were initiated in late September in Nevada courts by Las Vegas lawyers. Two of these lawsuits were filed against MGM Resorts, while the other two were filed against Caesars. These lawsuits allege negligence in protecting customer data and seek compensation for damages incurred, including credit monitoring, identity theft protection, and emotional distress.
The lawsuits seeking class action status were brought on behalf of individual customers, namely Alexis Giuffre and Paul Garcia against Caesars, and Emily Kirwan and Tonya Owens against MGM Resorts International The law firms responsible for filing these suits are Stranch, Jennings & Garvey, PLLC, and Kopelowitz Ostrow Ferguson Weiselberg Gilbert.
One lawsuit filed in the U.S. District Court in Nevada on Friday, October 27th, alleges that Caesars Entertainment failed to implement reasonable security measures to protect its customers’ personal information. The lawsuit further claims that the company was aware of the vulnerability used by the attackers but failed to take appropriate action to address it.
A similar complaint was filed against MGM Resorts International in the same court on Thursday, October 26th. This lawsuit alleges that the company failed to properly train employees on cybersecurity protocols and did not have adequate safeguards in place to prevent unauthorized access to its systems.
The Cybercrime Group also Target Atlantic City Casinos
The cyberattacks in question also targeted four Atlantic City casinos in September, at the same time when their counterparts in Las Vegas were facing the same ransomware situation. The most hit properties were Caesars-operated Harrah’s Atlantic City, Caesars Atlantic City, and Tropicana Atlantic City, which also runs Tropicana Online Casino NJ.
MGM’s Borgata Hotel Casino and Spa was also affected, including some services offered by its online casino. Hackers are believed to have accessed vast troves of customer data at these properties, potentially compromising millions of individual records containing sensitive personal information.
A shadowy hacking group called Scattered Spider later took credit for the intrusions. In the disruptive aftermath, phone systems, internet, and other IT infrastructure at the casinos were knocked offline for days as IT teams worked tirelessly to eject the attackers, secure vulnerable systems, and restore normal operations.
In statements issued in October, both Caesars and MGM were forced to acknowledge that customer data had indeed been accessed without authorization during the cyberattacks. They pledged to individually notify affected customers and take steps to strengthen security protocols moving forward.
Potential Impact and Implications of the Breaches and Lawsuits
The data breaches at Caesars Entertainment and MGM Resorts International highlight the growing threat of cyberattacks against the gaming industry. These incidents raise serious concerns about the security of customer data and the potential consequences of such breaches.
The lawsuits filed against both companies could have significant financial implications. If the plaintiffs are successful, Caesars Entertainment and MGM Resorts International could be liable for millions of dollars in damages. These lawsuits could also lead to increased regulatory scrutiny and stricter data security requirements for the gaming industry.
If found liable, the casino giants could face massive financial penalties. Damages will depend on how many individual customers are ultimately proven to be impacted by the cyberattacks. Statutory damages may also apply based on each state’s laws.
Reputational harm and lost business during the disruptions must also be considered. Reports indicate Caesars paid $15 million to hackers following its separate ransomware incident, setting a benchmark for potential costs.
Moving Forward
In the wake of these cyberattacks, Caesars Entertainment and MGM Resorts International have taken steps to improve their cybersecurity posture. Both companies have engaged leading cybersecurity experts to review their systems and identify vulnerabilities. They have also implemented additional security measures to prevent future attacks.
In related developments, Caesars Entertainment saw the departure of a senior cybersecurity leader around the same time as the data breach disclosure. John Roskoph, Senior Vice President of Strategy, Infrastructure and Cybersecurity, announced his exit from the role in a LinkedIn post.
While the timing of Roskoph’s resignation raised some questions, sources within Caesars maintained it was unrelated to the cyber incident. They said his departure had long been planned and that the company supported his new opportunity to join supply chain firm NFI based in New Jersey.
Summing Up
The cyberattacks against Caesars Entertainment and MGM Resorts International serve as a stark reminder of the importance of data security in the gaming industry. However, many questions remain unanswered. Ongoing investigations may uncover more about how the hackers infiltrated systems and what data was truly accessed. It’s also unclear how state attorneys general and federal agencies may ultimately get involved.
