When I mention “big casino heist,” you’re probably quick to envision a scene from the Ocean’s movie franchise, a slew of armed Elvis impersonators in 3000 Miles from Graceland or the appropriately titled film Heist. You’re probably not thinking a smart thermostat in an aquarium. The idea of a fish tank heist is a lot less glamorous. But with more connected devices inside of casinos, casinos are in the cyber crosshairs of threat actors.
Avoiding Casino Cyber Incidents: The Odds Aren’t in Visitors’ Favour
Las Vegas took first place in the list of top ten United States cities most likely to experience cyberattacks. The report took into account the vulnerability of infrastructure and devices within metro areas, examining over one million endpoints to create an overall Threat Index Score, which ranged from zero to ten. A score below six and a half indicated an acceptable level of risk. Las Vegas took the top spot by garnering a perfect ten. According to Coronet Security, who conducted the study, users in Las Vegas have a frightening 43 percent chance of connecting to networks deemed medium- or high-risk.[i]
The Hard Rock Casino has repeatedly fallen victim to cybersecurity breaches. Repeat cyberattacks targeting the same victim are becoming commonplace. According to a report released from FireEye, 56 percent of enterprises that were targets of a significant cyberattack in 2017-2018 were targeted a second time in that period for a similar attack.[ii] Beginning in May 2015, threat actors stole credit cardholder names and corresponding numbers and card verification codes from Hard Rock Hotel guests and customers in the casino’s many restaurant and retail locations.[iii]
A year later, malware was installed on the casino’s POS systems, and again, credit card information was stolen. This second attack was more widespread, targeting the entire resort through PoS scraping technologies.[iv] In 2017, once again, more Hard Rock consumer data was exposed. This time, the casino wasn’t to blame. The breach of the Sabre booking system affected eleven hotels across the resort chain.[v]But customers were wary of the casino after its third cybersecurity strike where confidential consumer data was lost, caring little whether the casino was directly at fault or not.
Las Vegas Sands Corporation, which owns several popular properties, including The Venetian and Palazzo, was also a victim of a damaging cyberattack. The breach of their gaming websites and operational networks by Iranian hackers in 2014 made headlines when they successfully stole the earning and personal details of staff and credit card and Social Security numbers of guests.[vi] The Sands believes that the hackers infiltrated the casino network through a smaller extension in Bethlehem, Pennsylvania and that “certain company data may have been destroyed” as well as sensitive information being stolen.[vii] The Sands Corporation breach damages are estimated to have totalled approximately $40 million.[viii]
The Fish Did It
The Internet of Things (IoT) is a growing problem in cybersecurity. Interconnected smart devices, many with no built-in or inferior security features, make networks vulnerable. IoT device susceptibility was to blame in one memorable casino cyber-heist.
A casino in the United States had its system hacked into via a smart thermostat and feed dispenser built into an aquarium in the casino’s lobby. The iPhone controlled fish tank was capable of monitoring temperature, algae levels and automatic feeders. The digital aquarium was connected to a remote server in Finland. This connection allowed for billions of bytes of data to be stolen.[ix]
You’re probably not thinking about a thermostat being a threat to your network. But that was the way in for the threat actors. “The attackers used that to get a foothold in the network,” said Nicole Eagan, CEO of London-based Darktrace at a UK cybersecurity conference. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”[x]
Robert Hannigan, who previously ran the British government’s digital-spying agency, Government Communications Headquarters, also spoke at the UK conference alongside Eagan and agreed that threat actors’ targeting of IoT devices was an escalating risk for organizations.
“With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem,” stated Hannigan. “I saw a bank that had been hacked through its CCTV cameras, because these devices are bought purely on cost.” Hannigan called for minimum security regulations for IoT devices in the marketplace, but also pointed out that “The problem is these devices still work — the fish tank or the CCTV camera still work.”[xi] So, even if new devices with more stringent security measures come to market, you have to be aware of and account for the lax security of older devices still in use in your network – legacy IoT. The bottom line is that no matter what industry you are part of, if you have IoT devices as part of your network, then they can be manipulated and are making your system susceptible.
Preparation Increases Your Cybersecurity Odds
Casinos are like any other large commercial company; they face data breach risks and must ensure that a robust cybersecurity incident response strategy is in place. Casino operators need to ensure that their casino security incident response plan is continuously being adapted and updated to cover all possible network entry points, including any IoT device additions, however seemingly small and insignificant. Similar to banks, casinos have a continuous and substantial stream of data concerning casino staff, customers, and the money being gambled and spent in the corresponding retail outlets, bars and restaurants – data that can be accessed, used and manipulated.
Cryptography and cybersecurity expert, Cédric Jeannot, Founder and CEO, APrivacy Ltd., highlighted that “There is also competitive intelligence, a casino wanting to know what the other one is doing. There are so many actors that when you develop a security system you have to get it 100 percent right.”[xii] Getting it right means creating an appropriate incident response strategy. Casinos, like any other business, need to identify and address any network vulnerabilities. Penetration testing and vulnerability assessment can highlight any ways that threat actors could access a network – from thermostats to CCTV cameras to staff clearance and login procedures. Casinos are ripe for cyberattacks.
Casino operators need to ensure that they are doing due diligence in protecting their staff and customer data by ensuring that all smart devices are accounted for in security incident response planning. If you’re heading to Vegas, make sure you are cyber smart when connecting and follow these cyber safe travel tips. Don’t gamble with your cybersecurity.