Las Vegas Casino Cyberattacks: A Timeline

Posted on: September 12, 2023, 01:56h. 

Last updated on: September 13, 2023, 06:59h.

Everyone reading this knows about the cybersecurity attack severely impacting properties operated by MGM Resorts International in Las Vegas this week and properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York, and Ohio. However, this was not Las Vegas’ first experience with cyberterrorism. It’s not even MGM’s.

MGM Grand in Las Vegas
The MGM Grand in Las Vegas was among one of 10 MGM Resorts properties in Las Vegas severely impacted by a cyberattack this week. (Image: YouTube/Coolist, inset: itsec.group)

Cyberattacks aren’t uncommon at Las Vegas casinos. Many don’t get reported, according to Casino.org’s own Vital Vegas blogger Scott Roeben. However several casinos have paid ransoms to get their data or systems back. In fact, according to Roeben, Caesars Entertainment may have been hit last week with a similar attack.

In the past, public companies weren’t required by law to share the fact they’d been attacked or paid ransoms, often in the millions of dollars.

That changed recently when the Securities and Exchange Commission (SEC ) adopted new rules requiring the reporting of cybersecurity incidents and the amount of any ransoms paid to resolve them.

Below is a timeline of the biggest data security attacks suffered by the Vegas casino industry — at least the ones we know about.

Venetian
Venetian was hacked by Iran in retribution to inflammatory statements made by founder/CEO Sheldon Adelson in 2013. (American Express)

The Venetian/Palazzo

February 2014

An act of state-sponsored cyberterrorism decimated systems at the Las Vegas Sands Corporation — operator of The Venetian/Palazzo and Sands Expo and Convention Center — wiping out 75% of the company’s Vegas-based servers and causing an estimated $40 million in equipment costs and data recovery.

The attack had no financial motive and was apparently orchestrated to punish Sands’ CEO and largest shareholder, billionaire Sheldon Adelson, for comments he made in a panel discussion at Yeshiva University the previous October. During that discussion, Adelson suggested that the U.S. should detonate a nuclear bomb in the Iranian desert if Tehran continued its nuclear program.

According to former U.S. Director of National Intelligence James Clapper, the Iranian government was behind the attack. A message left on company servers read: “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime.” The note was signed by the “Anti WMD Team.” 

Golden Nugget

May 2014-March 2015
May 2015-December 2015

A payment card breach was discovered at more than 300 casinos, restaurants, and hotels owned by Houston, Tex.-based Landry’s. This included all six of its Golden Nugget casinos.

Hackers installed a program on the company’s systems that captured payment card info — including cardholder names, card numbers, expiration dates, and internal verification codes — at the company’s food and beverage outlets, spas, and entertainment locations.

Hard Rock Hotel & Casino
Cyberattacks created hard times for the Hard Rock before it reopened as Virgin Hotels Las Vegas in 2021. (Image: vegasslotsonline.com)

Hard Rock Hotel & Casino

October 2015-March 2016
August 2016-March 2017

Customer credit cards were scraped at bars, restaurants, and retain shops in the casino via malware infecting its card processing system. Hotel guest names, card numbers, expiration dates, and CVV codes were stolen.

The rock ‘n roll-themed casino discovered the breach after guests complained of fraudulent activity on their credit cards.

A third-party reservations system called SHS infected multiple hotels, including the Hard Rock, only three months later. That breach granted unauthorized access to credit card information, as well as to reservation information.

The Hard Rock closed on Feb. 3, 2020, and reopened as Virgin Hotels Las Vegas — presumably with all new card processing systems — the following year.

MGM Resorts International

Summer 2019

MGM’s first known major data breach originally resulted in the publishing personal data from about 10 million guests on a Russian hacking forum.

At the time, MGM admitted that the data was hacked from a cloud server containing “a limited amount of information for certain previous guests.” It noted that the breach did not include financial, payment card, or password data.

In 2022, however, the cyber threat detection service vpnMentor reported that a subsequent data dump  on social messaging channel Telegram exposed personal data obtained during the same breach from around 30 million guests.

That included the names, postal and e-mail addresses, phone numbers, and dates of birth of MGM customers, including government officials, journalists, and celebrities — such as singer Justin Bieber and Twitter founder Jack Dorsey.

At one point, all 142 million data sets were available for purchase on the dark web for $2,900.

Four Queens/Binion’s Gambling Hall

Feb. 27-March 5, 2020

These two downtown casinos, both operated by TLC Casino Enterprises, were closed for almost a week after a cyberattack affecting their slot machines and loyalty program and payment systems.

Dotty’s 

Jan. 16, 2021

In addition to a malware event, an unauthorized person accessed certain systems within the company’s network, according to a letter notifying impacted customers of the 120 gaming taverns across Nevada. Personal information was exposed — including names, dates of birth, and driver’s license numbers.

The Palms 

Oct. 18-19, 2022

A malware attack took out The Palms Las Vegas website for more than 24 hours, causing Google to label the site with a malware warning.

The off-Strip casino is owned and operated by the San Manuel Band of Mission Indians in California, one of the nation’s richest gaming tribes, which purchased the Palms from Red Rock Resorts in 2021 for $650 million.