It was just a few months ago that Gateway Casinos in Ontario were temporarily shut down by a ransomware attack.
A total of 14 Ontario casino properties were closed for two weeks, while personal information of Gateway customers and employees was put at risk.
More recently, North America has seen similar attacks to MGM Resorts, owner of MGM Grand Detroit, as well as Caesars, home to Caesars Windsor.
PlayCanada chatted with Lisa Plaggemier, the executive director at National Cybersecurity Alliance, about the attacks and what casinos and customers can better do to keep themselves protected.
What exactly occurs during a cyber attack?
Most people have experienced some form of an attempt at a cyber attack in their personal or work life, whether they know it or not.
According to the Cybersecurity & Infrastructure Security Agency, 47% of American adults have had personal data exposed by cyber criminals.
So, just how does it happen?
“Usually it starts with some form of social engineering, like somebody sends a phishing email to one of your employees. Somebody clicks on something that they shouldn’t, not that they’re willful about it,” Plaggemier said.
“That then starts a series of events that downloads malware in the form of ransomware, on to a computer, and then that ransomware goes about encrypting files and moves very quickly through your systems.”
In the case of Gateway Casinos, the attack forced a shutdown of gaming operations on April 16. The casino operator then said that the matter was resolved on April 29.
Originally citing a “system-wide malfunction” as the issue, Gateway officials were later forced to admit the organization was the victim of a ransomware attack.
“Once you’ve been infected, there’s no antidote. The only antidote is to roll to your backups,” Plaggemier said. “Sometimes the victims have all their ducks in a row, and they recover very quickly, but they’re still victimized. Sometimes the victims are not well prepared, and don’t have their network segmented and don’t have adequate backups that were configured properly. They suffer much worse damage.”
Gateway didn’t own up to paying a ransom
Gateway officials didn’t indicate whether or not the company paid the ransom asked for by the hackers in the cyber attack.
When it comes to the MGM Resorts and Caesars attacks, both were asked for a lofty ransom.
“Now (cyber attackers) don’t just hold data for ransom, but they also want to be paid to not release the data onto the dark web,” Plaggemier said. “It used to be they just encrypted it and held it. Now they’ve decided they can make money both ways.”
In the case of MGM Resorts, it elected not to pay the ransom and dealt with the interruptions for many days. Caesars elected to pay a reported ransom of $15 million to the hackers to get their information back.
Neither situation is ideal, but Plaggemier believes paying the hackers sends a bad message that these attacks are working and will continue.
“We side with federal law enforcement. We believe that paying the criminals is not good practice. It perpetuates the problem as long as people keep paying, and they’ll keep doing it,” Plaggemier said. “You’re also trusting that you’re going to get the encryption keys back and they’re going to work. You’re putting a lot of trust (in the hackers). You’re doing business with criminals.”
In the end, Plaggemier believes making a payment speaks more about the company than the hackers themselves.
“I know a lot of a lot of organizations pay it becomes a very practical decision at the end of the day for them because if they weren’t properly prepared, then it can actually be cheaper to pay than to try and recover on their own,” she said.
“And so that’s why they make an economic decision in the heat of the moment to pay. But I think it’s unfortunate. I think, to me, it says a lot about an organization when that’s the route that they choose to go. From both an ethical standpoint as well and a policy standpoint.”
Is the gambling industry a target of cyber attacks?
With multiple attacks on casinos and a recent cyber attack occurring with Sony’s online gaming network, some may be led to believe that hackers are attacking the gambling and gaming industry.
However, Plaggemier doesn’t feel hackers are turning their focus to the industry in particular.
“I don’t think the gaming industry is being focused on necessarily any more than any retail consumer business,” Plaggemier said. “I think it’s more about legacy businesses. Businesses that have a deep, deep history that existed way before the information age. I think it has more to do with whether or not the businesses are successfully navigating over the past 10 or 20 years, a transformation to the digital age, from what was all analog.”
These attacks should be a wake-up call to the gambling industry to be assessing its ability to fight hackers. Keeping up to date with their defenses is critical.
“Companies have to treat security risk like any other risks to your business. There’s geopolitical risk, currency risk, competitive market force risks, competitive risk. Any other risks to your business that you would manage, you need to manage cyber risk just the same,” Plaggemier said.
Protecting yourself from cyber attacks
The Gateway attack led to issues from the worker’s union that was upset with their personal information being accessed by the hackers.
Similarly, the MGM Resorts attack has led to class-action lawsuits filed against the company. Customers claim MGM failed to protect customer data.
Aside from businesses being vulnerable to these attacks, consumers are also constantly under attack from cyber criminals.
Ontario online casinos limit how consumers can do transactions. But, Plaggemier recommends using credit cards when available for better personal security.
“As long as you’re using a credit card, as opposed to a debit card… you’re protected from situations like this. You’re not personally liable,” she said. “So, I’m a big proponent of using credit cards and paying off the whole bill every month. It’s just as easy to use as a debit card or anything else, but it comes with that added protection.”
If you are on your computer at home or at work and suspect you may have clicked on a ransomware attack, the best option is to sever the connection to your work network and Internet.
“The best thing to do is to just disconnect from the network at that point — if you’ve intercepted (the attack) and you know what’s happening. The only way you can stop it from spreading is to shut everything down or disconnect from the internet,” Plaggemier said.
Cyber hackers will continue assault
If the last six months have shown us anything, it is that hackers aren’t going to go away.
Their business is to be relentless, as they only need one slight mistake to be successful.
“The hard part is the bad guys only have to be right once, the defenders have to be right all the time. You can’t prevent them from attacking, you’re going to get attacked. Doesn’t matter who you are. Doesn’t matter how big or small your company is. It doesn’t matter if you’re a hospital, a utility company, a hotel or a casino. It doesn’t matter. You’re being attacked, whether you know it or not. Small business, large business, it doesn’t matter. It’s happening,” Plaggemier said.
The reason these will continue is that the attackers have the ability to stay ahead of cyber security. This is true both in the United States and Canada.
“We have organizations that in the western world that move slowly. We have processes we follow, we have laws that we follow, we have compliance regulations in different industries that we follow. Bad guys don’t have compliance. So, they can move really quickly and learn from their mistakes, and just keep iterating until they’re successful,” Plaggemier said.
“Time is money for them, so they move really fast. (Attacks) are going to happen, but the damage can be mitigated if you’re prepared.”
Casinos need to prioritize security defenses
What the casino industry should learn from these recent attacks is to prioritize their security defenses. And, constantly be prepping for what can be around the corner.
“Security isn’t a one-and-done, it’s not an event. It’s a process that you have to manage just like any other process. It’s just lather, rinse and repeat,” Plaggemier said.
“The problem isn’t going to go away anytime soon, the Internet was not built to be secure. It’s just the way it is.”
The public may not be aware if these casino businesses have been successful in their defenses. We only become aware when the defenses fall short.
Going forward, no news is good news.