Caesars reportedly paid millions to stop hackers releasing its data | It’s the second Las Vegas casino group to be attacked this week.::Caesars Entertainment reportedly paid “tens of millions of dollars” to hackers who threatened to release company data.
I wonder if this is a good decision - you have to be very afraid of the publication of this data to pay millions to blackmailers without being sure that they won’t be at your door again soon.
I work in the casino industry, our databases are full of ssns, addresses, emails, telephone numbers, birthdates, food/liquor/tobacco/vacation/entertainment preferences, players with lines of credit through us, people cash checks or get cash advances through their credit cards through us so we have that info, through our play history data you can infer habits of where someone is or isn’t at certain times, some casino companies are now offering “cashless/chip less” play which is an app on your phone hooked up to a bank account we set up for you and tie to Experian, etc etc etc
Casinos are essentially banks now, we have fuckloads of secure information and the casino industry hires the cheapest fucktards it can find on purpose to keep profits high. It’s no wonder we’re being targeted, we’re damn juicy targets. Even if IT tries our hardest, we’re handcuffed by cheap management and flat stupid users that fail phishing tests left and right and write down passwords on notepads or excel sheets
Thanks for that Insight, the last time i was in Vegas was about twenty years ago and i honestly had no Idea why a slot machine has to be online.
We can’t offer player points (that can be used on free play or free food or free hotel stays) without them being online and tracking the level of play on your card
User being phished doesn’t leak the company’s database though.
It does if that user has rights to access those databases, that would be a non-zero number of marketing analysis, p&a, data scientists, IT staff who maintain that infrastructure, etc. The most dangerous one is a compromised IT admin account and from the looks of it that happened to MGM this week
It’s becoming the standard to just pay the ransom. Many large companies have a cybersecurity insurance policy anyways. Plus on the hackers side, they have a reputation to maintain. If word gets out that a specific group isn’t decrypting after payment, they will be less likely to get paid in the future.
This isn’t a crypto locker hack though where you can verify pretty immediately if they’re going to keep their word by them decrypting your data.
In this case the hackers actually physically have the data and are threatening to make it public if you don’t pay.
There’s no way to verify that they will never release it once you pay them. They could just sit on it for years after getting paid and then come back and say pay up again or they’ll release it.
Which is kinda what’s happening now!
And this is why you don’t negotiate with terrorists.
That, or are very sure that you have deep enough black market connections to shake the thieves down.
Paying these ransoms should just be illegal.
Why?
