Recent Closing of Three Tribal Casinos Provides Cyberattack Lessons

Posted on: October 21, 2020, 06:35h. 

Last updated on: October 21, 2020, 10:39h.

Two Idaho tribal casinos and one California casino have temporarily closed following a cyberattack. This is relatively unusual, but other gaming properties should prepare for the continuing risk, several cybersecurity legal experts warn.

Hacking will be a continuing issue for the casino industry
Paul Rosenzweig says casinos are often targets of cyberattacks. A former deputy assistant secretary at the US Department of Homeland Security, Rosenzweig is now an attorney, consultant, and lecturer at George Washington University Law School. (Image: Daily Kos)

In the latest example, Clearwater River Casino & Lodge in Lewiston and It’se Ye-Ye Casino in Kamiah reopened in Idaho on Monday after the cyber attack led to the closure of the two gaming properties for about 10 full days.

The Nez Perce tribe-operated casinos said they did not experience a data breach from the Oct. 8 attack. It was described in a Facebook post as a “major computer systems disruption.”

Cache Creek Casino Resort in California also experienced a recent cyber attack. The casino shut down on Sept. 20 and reopened this month after a three-week closure. It is owned and operated by the Yocha Dehe Wintun Nation.

A “total closure is unusual,” Paul Rosenzweig said. Rosenweig is a former deputy assistant secretary at the US Department of Homeland Security who now works as an attorney, consultant, and lecturer at George Washington University Law School.

The targeting of casinos is not uncommon. The most famous attack was on Sheldon Adelson’s Las Vegas casino because of his alleged pro-Israel views,” Rosenzweig told Casino.org.

“Several casinos have been the victims of cyberattacks, some of which have included data breaches,” said Anthony Cabot, Distinguished Fellow in Gaming Law at UNLV’s Boyd School of Law, in a statement to Casino.org. “Casinos are attractive targets because they maintain significant financial data on their patrons.”

Casinos collect sensitive and valuable data from visitors, such as credit card numbers. They also have many cyber locations where they can be attacked. Both factors lead to the increased risk of an attack, said Brian Ray, director of the Center for Cybersecurity and Privacy Protection at Ohio’s Cleveland-Marshall College of Law, to Casino.org.

Ransomware Continued Risk for Casinos

The Idaho casinos may have been hit with ransomware that encrypted their systems, Ray told Casino.org. Ransomware attacks are attempts to extract a ransom with a threat that systems will become inaccessible.

Such attacks can not only lead to lost revenue, but casinos, like other businesses, can experience negative publicity and reputational risk from such an incident, Ray said.

He further warns about the recent increase in ransomware attacks that exfiltrate sensitive data. One new report estimates that up to one in 10 attacks also involve data theft, Ray adds.

The incidents also illustrate the importance of businesses backing up their data and the need to be able to restore files from that backup, Ray said.

There are also legal concerns related to cyberattacks, especially if a data breach takes place. Businesses need to examine the specific breach notification laws in each state to determine whether the incident needs to be reported, Ray warned.

Cybersecurity Best Practices

When looking at the entire gaming sector, Anthony Cabot recommends it should voluntarily “coalesce around best practices” to properly manage and harden their software systems. Cabot also recommends using encryption technology that meets or exceeds technology used by other sensitive industries, such as banking.

Otherwise, government officials could impose standards on gaming properties, Cabot warns.

Paul Rosenzweig also advised casinos and other enterprises that “anyone who guarantees stronger security, is just painting a target on their own forehead. It is unwise.”

In light of the threats, Ray recommends casinos enact cybersecurity precautions, such as having an incident response plan. It should focus on the identification of the cyber threat, containment, and eradication.

Additionally, plans on how to recover from the incident should be in place, Ray said. He further recommends casinos undertake a risk assessment, use multi-factor authentication, regularly update their systems, as well as train and test their employees.

“Hacking will be a continuing issue for the casino industry,” Cabot said after the three recent casino cyberattacks. “Each hacking instance not only opens the casinos to potential civil liability, but also impacts the public’s confidence.”