Whatever happens in Vegas, will not stay in Vegas – Casino Cyberattacks
Loyola University Chicago School of Law, J.D. 2025
On September 11th, 2023, a cyberattack flooded the front pages of publications around the world- MGM Resorts and Caesars Entertainment were the victims of a costly incident. Patrons looking to enter their hotel rooms, go for another spin on the slot machines, or use casino rewards, were appalled at the persistent error messages that kept disrupting them from doing so. The breach had lasted over a week without a concise and strong end to the damage, leaving travelers vulnerable. It is customary that companies seek to find the culprit of the breach, deplete its ability to do more damage, and inform patrons of their safety being returned, and this proactiveness was missing.
Tactics implemented by hackers to gain access
As previously mentioned, the ransomware group gained access to MGM Resorts’ records with a phone call to an employee. . A representative of the ransomware group told the Financial Times that they pretended to be a MGM employee that they had found on LinkedIn, an employment focused social media platform. The hackers are well known in Europe and possibly in the U.S. and are said to be more dangerous and convincing because of their ability to speak fluent English. The same report by the Financial Times also claims that the group then made a ransomware demand to be paid via Cryptocurrency– a common tactic that ransomware groups have been using for decades.
Caesars Entertainment, the other large casino that was victim to a cyberattack in recent weeks, also received a ransomware demand. A Bloomberg report said that Caesars paid $15 million dollars in ransomware demands to an identical group that struck MGM, in an effort to avoid personal information and data from going public. Had Caesars not acted promptly in this situation, this would lead some of their patrons to lose trust in the company.
Compliance efforts to protect personal information
In an effort to protect their citizens personal information, some jurisdictions across the United States have tried to implement statutes on the protection of personal information. These statutes aim to protect the personal information that is scattered on the web (usually found from online purchases) from hackers that look to exploit the information. In Nevada, Senate Bill 260 provides guidelines as to who this data privacy statute applies to, and what repercussions may be available for conductors of an online commercial entity that fails to abide by the outlined principals. According to Sara Morrison of Vox, multiple reports have pointed the finger of the cyberattack at MGM Resorts on human error, where persuasive phone call tactics eluding to publicly available information, were enough to enable an employee of MGM to grant the ransomware access to the sensitive files of personal information. This would likely constitute enough to hold MGM Resorts vicariously liable for their employee’s conduct, leaving the company susceptible to large consequences from the Attorney General (AG), as they see fit.
Nevada gives deference to the AG in deciding what the outcome of Personal Information Protection Act (PIPA) violations will bring about. In Nevada, the AG is able to either impose a permanent or temporary injunction against the party to which the claims are being brought or impose a civil penalty that will not exceed $5,000 dollars for each violation. Since the employee is acting on behalf of their employer, and thus is controlled by them, this would likely constitute enough to hold MGM Resorts vicariously liable for their employee’s conduct. This could leave the company susceptible to large consequences from the Attorney General (AG), as they see fit.
How do we move forward in light of the sharp uptick of hacker brilliance?
Although these attacks are fresh and have caused lots of damage, there is actually a decrease in the number of attacks happening in 2023. PandaSecurity speaks to the increase in ransomware attacks finally ending, and how data has shown a decrease in the number of breaches in the last calendar year. However, although the number of attacks is decreasing, the demands have only increased. The average ransomware demand has risen from $115,000 to $570,000 from 2019 to 2021. This growth will likely continue to rise and begs the question: What do we do?
Firstly, it would appear that corporations are starting to realize the importance of the safety of their networks and servers, which is likely why we are seeing companies begin to implement cybersecurity training for their employees that help detect phishing attempts. Secondly, I believe that the federal government needs to enact legislation that is applicable to all states, rather than leaving jurisdictions to dictate their own measures. This allows for hackers to hollow out jurisdictions with less than perfect barriers.
Lastly, I believe that this will bring about a difference in the way transactional law is approached and conducted. A lot of the cyberattacks that are happening are partially covered by insurance plans that do not sufficiently account for the risks involved. I believe that going forward, corporations will be financially shielded from such attacks by way of their insurance policies. Furthermore, I foresee consumers becoming accustomed to the risks of being an online shopper and will be more understanding with their customer loyalty. Pointing the finger at the hackers, rather than corporations that are trying their best seems like the most reasonable way to go about this growing issue.