WinStar Casino App Was ‘Spilling Customer Data’: TechCrunch

Posted on: February 10, 2024, 05:51h. 

Last updated on: February 12, 2024, 11:50h.

Philip Conneller @casinoorgphilc Read More

Expertise: Gaming Business, Regulation, Tribal Gaming.

A Nevada-based tech startup that developed the app for the WinStar World Casino and Resort in Thackerville, Okla., was “spilling customers’ private information to the open web,” according to a TechCrunch report.

The company, Dexiga, built the MyWinStar app, which allows users to keep track of earned rewards points, promotions, and offers, as well as pay for gaming and WinStar amenities during their stay.

This included full names, phone numbers, email addresses, home addresses, the users’ gender, and the IP address of the users’ devices. None of the data was encrypted, although some sensitive information, such as dates of birth, were redacted with asterisks, according to TechCrunch.

The database has now been secured after TechCrunch contacted Dexiga to raise a red flag.

‘World’s Biggest Casino’

WinStar, owned by the Chickasaw Nation, claims to be the largest casino in the world by square footage. Based close to the Texas border, it welcomes a multitude of visitors every year. It is not clear how many customers’ personal information was exposed by the security lapse, or whether this information was accessed by any bad actors prior to discovery.

The lapse was first noticed by Anurag Sen, a good-faith security researcher with a proven history of discovering exposed data. He contacted TechCrunch with his concerns, and the tech portal was able to link the database to Dexiga.

In email communication with TechCrunch, Dexiga founder Rajini Jayaseelan claimed that the database contained “publicly available information” and denied his company had exposed sensitive data.

Jayaseelan added that the incident had occurred during a log migration performed last month. He declined to say whether Dexiga is able to determine if anyone accessed the database while it was exposed.

Jack Parkinson, WinStar World Casino and Resort president, said in a statement to Casino.org that the company had only been notified of the situation on February 10.

Initial investigation shows this event effected a limited number of individuals and not the entire database of My WinStar App users. It has also been determined that the information accessed involved a single file and the app itself was not compromised,” he said.

“We continue to work with our vendor developer to investigate what happened and what steps can be taken in the future to mitigate this issue. The safety and security of our patrons and their information is of highest priority for us, and we will notify those affected patrons as soon as we have more information,” Parkinson added.

Casino Security in Hard Focus  

The methods casinos use to protect sensitive customer data and repel hackers have come into hard focus in recent years after numerous security beaches.

In September, the so-called “Scattered Spider” hacking group orchestrated devastating ransomware attacks on MGM Resorts and Caesars Entertainment.

After refusing to pay the ransom, MGM experienced disruption to its operations that lasted for days and caused an estimated $100 million in damage. Caesars paid the hackers around $15 million to have normal services restored, according to The Wall Street Journal.

Casinos are attractive targets for cybercriminals. That’s because of the huge amount of data accrued through loyalty programs and the credit card-intensive nature of hotel booking.

WinStar World had failed to reply to a request for comment from Casino.org at the time of publication.