US casino giants Caesars (NASDAQ:CZR) Entertainment and MGM Resorts (NYSE:MGM) have reported cybersecurity incidents to the Securities and Exchange Commission (SEC), following ransomware attacks on their operations. The disclosures came in line with SEC rules implemented in March 2023, which mandate publicly traded companies to report "material" cybersecurity incidents within four days.
On Thursday, Caesars Entertainment revealed that an unauthorized actor had accessed a copy of its loyalty program database, which included sensitive data such as Social Security and driver's license numbers of a significant number of members. The breach was discovered earlier this month after the detection of suspicious activity in the company's network. The company said hackers targeted an outsourced IT support vendor through a social engineering attack. Caesars has reportedly paid half of the $30 million ransom demanded by the hackers, according to The Wall Street Journal.
Caesars stated that its customer-facing operations, including physical properties and online and mobile gaming applications, were not impacted by the incident. The company is still investigating the extent of any other sensitive information that might have been acquired by the hackers.
Two days prior to Caesars' announcement, MGM Resorts reported a cybersecurity issue affecting some of its systems. The details provided by MGM in its SEC report were minimal, only reiterating a press release from September 12 stating that a cybersecurity issue was identified and an investigation was ongoing. Unlike Caesars, MGM Resorts is still experiencing system outages due to the incident.
Those familiar with the incidents have linked both breaches to the threat group Scattered Spider. However, MGM declined to provide additional details on the cyberattack on its systems that occurred on September 10.
In response to these incidents, both companies are taking steps to safeguard their systems and data. MGM has launched an investigation and notified law enforcement while also shutting down certain systems. The full scope of the costs related to these attacks, including potential indemnification claims against third parties and the extent to which these costs will be offset by cybersecurity insurance, is yet to be determined.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.