Sep 14, 2023 - Technology

Caesars Entertainment is latest casino chain to confirm it was hit by a cyberattack

Image of Caesars Palace in Las Vegas

Caesars Palace Hotel along the strip in Las Vegas, NV in April 2014. Photo by Sandy Huffaker/Corbis via Getty Images

Caesars Entertainment said a recent cyberattack exposed customers' Social Security numbers and driver's license information, per a public 8-K filing Thursday.

Why it matters: The Las Vegas stalwart appeared to face a cyberattack days before hackers targeted hotel and casino chain MGM Resorts International, resulting in days of downed MGM IT systems.

  • Caesars operates several Las Vegas-based casinos, entertainment venues and online gaming apps.
  • It runs more than 50 resorts, including several well-known Vegas brands like Caesars Palace, Harrah's and Horseshoe.
  • Caesars plans to notify affected customers "on a rolling basis" in the coming weeks if their data was accessed during the breach.

Details: Caesars said hackers gained access to its systems using a social engineering attack on its outsourced, undisclosed IT support vendor.

  • The attack resulted in hackers stealing a copy of the company's loyalty program database, which includes driver's license information and Social Security numbers for "a significant number of members."
  • At the time, Caesars doesn't believe the hackers stole customers' payment or bank account information.
  • But unlike the MGM attack, where downed IT systems have led to days-long outages at slot machines and the hotel's mobile app, Caesars said its physical locations and online gaming apps were not affected.

Yes, but: Caesars provided no details about who may be behind the attack and only says it determined data was stolen on Sept. 7.

  • The company did not immediately respond to a request for comment Thursday.

The big picture: In the last few years, several major companies have faced breaches due to social-engineering attacks — where hackers rely on their communication skills to trick employees into sharing passwords and other information.

  • Last year's Uber breach started after someone called an employee claiming to be their company's IT department.
  • Verizon estimated earlier this year that the number of incidents involving a fake story or other pretext to lure in victims more than doubled between November 2021 and October 2022.

The intrigue: The filing comes after Bloomberg and the Wall Street Journal reported Wednesday that Caesars recently paid millions to ransomware hackers to stop the attack and delete any stolen data.

  • However, Caesars did not directly mention paying a ransom in its filing, and only noted that "we have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result."

Caesars said in the filing it believes it has taken appropriate steps to protect against future incidents.

Go deeper: MGM Resorts shuts down online systems after cyberattack

Go deeper