Recently, leading gaming corporation Caesars Entertainment confirmed their unfortunate encounter with a cyber attack. The illicit individuals targeted a variety of data repositories, including the extensive Caesars Rewards database.
Following rumors and speculations, Caesars Entertainment disclosed in a Form 8-K filing with the Securities and Exchange Commission that it had experienced a cybersecurity breach. News of the incident came on the heels of a similar attack on competitor MGM Resorts International. Information circulating suggested that the hackers, known as “Scattered Spider” or UNC 3944, were paid $30 million by Caesars. However, the company neither confirmed the sum nor acknowledged the hackers by name. The document did suggest that they faced expenses related to the violation.
Despite currently incurring costs associated with responding to the attack, the company acknowledged the potential for additional expenses, including remediation and investigation costs. The comprehensive impact, including the balance to be offset by cybersecurity insurance or compensation claims against other parties, remains undetermined.
According to newly instituted guidelines from the SEC, public companies are now required to disclose significant events impacting investors. Such events may include natural calamities affecting operations, fires in facilities or cyber attacks.
Owing to its more than 65 million members – the largest in the gaming industry, the Caesars Rewards initiative proved to be an appealing target for cyber mongers. The company acknowledged in the regulatory filing that the hackers have obtained sensitive data such as driver’s license and Social Security numbers of a significant number of members. However, it maintained that there isn’t any evidence to suggest that member PINs, bank account data or payment card numbers got compromised.
Caesars further stated measures have been implemented to ensure the unauthorized actor deletes the hijacked data. While there is no definite guarantee for this deletion, the company reported no evidence yet of the information being further shared or misused.
In the wake of the cyber breach, Caesars offers complimentary credit monitoring services to its clientele which can be availed of by reaching out to the dedicated helpline.
The term “material” relies heavily on interpretation. If we assume the speculated sum of $30 million was indeed paid to “Scattered Spider”, this amount is relatively minor for a corporation boasting a market capitalization of $11.27 billion.
While companies must reveal ransomware incidents, the exact nature and extent of the Caesars attack remains undisclosed. However, the company has refrained from branding this incident as catastrophic.
As part of its closing statement in the regulatory document, the company expressed uncertainty regarding the full impact of the violation on future guest behavior and the potential for financial upset. However, as it currently stands, it predicts the incident will not significantly influence the company’s financial status or operational results.