Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data

As more details emerge from September's Las Vegas casino cyberattacks, Caesars Entertainment – the owner of Caesars Palace – has disclosed more than 41,000 Maine residents alone had their info stolen by a ransomware gang.

In a Friday filing with the the US state's Attorney General's office, Caesars disclosed extortionists siphoned 41,397 Mainers' data, and listed the total number of victims "TBD."

The hotel, restaurant, and casino chain described the theft as follows:

The hotel chain's loyalty program was pillaged and Caesars noted that the stolen personal data included names and driver's license numbers and/or identification card numbers. According to the filing, the crooks didn't access customers' financial information nor payment details.

In an attached security breach notification letter [PDF], Caesars told customers that the entertainment conglomerate has "taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result."

These steps, we'd assume, including paying the ransom demand – which was reportedly negotiated at $15 million after an initial demand for $30 million.

"To ease any concern you may have, we are offering you complimentary identity theft protection services for two years through IDX, a data breach and recovery services expert," the notification letter continued. 

"This identity protection service includes two years of credit and dark web monitoring to help detect any misuse of your information, as well as a $1,000,000 insurance reimbursement policy and fully managed identity restoration in the event that you fall victim to identity theft."

The casino giant first confirmed the data theft in an SEC filing in September, but has yet to comment on the reported ransom paid to the ransomware crew. 

Caesars has not responded to multiple inquiries from The Register. These include questions about the ransom demanded and whether it was paid, and how many thousands of customers were caught in the ransomware crew's web. The biz's 8-K SEC form claimed a "significant number" of loyalty members were feared stolen. We will update this story if and when we hear back. 

• MGM Resorts attackers hit personal data jackpot, but house lost $100M
• Scattered Spider traps 100+ victims in its web as it moves into ransomware
• Caesars says cyber-crooks stole customer data as MGM casino outage drags on
• MGM Resorts shuts down website, computer systems after 'cybersecurity incident'

News of that ransomware infection broke as another huge casino and hotel chain, MGM Resorts, was forced to shut down IT systems and slot machines after the same cybercrime crew – known as Scattered Spider – broke into its network and stole customers' data.

Scattered Spider is reportedly an affiliate of ALPHV, also known as BlackCat, a ransomware-as-a-service (RaaS) operation that rents its malware to other criminals.

Last week, in its 8-K SEC filing, MGM said it expects the security breach will cost the company at least $100 million.

Why MGM didn't pay the ransom

While Caesars reportedly paid to make the pain stop, MGM did not. Its CEO, Bill Hornbuckle, told Bloomberg his reasons for not caving to the crooks' extortion were not driven by nobility.

The data thieves had already been in the hotel giant's IT environment for several days before sending a ransom note for a sum Hornbuckle declined to reveal. By that point, the gambling biz had started rebuilding its systems from backups and didn't see any reason to respond to the criminals.

"I'd love to tell you there was this, you know, 'a jump on a white horse moment and devil be damned — we're not paying these bastards,'" Hornbuckle said. "The reality is because we caught this so early and we were on them."

The Register has also asked MGM repeatedly for comment about the intrusion and is yet to receive a response. 

And while we know of these two casino and resort giants who fell victim to Scattered Spider, there are likely more victims that have yet to disclose data losses.

In August, Okta revealed that "multiple US-based customers" reported social engineering attacks that targeted their IT service desks in attempts to steal user account info for those accounts with administrator permissions. 

At the time, Okta's chief security officer David Bradbury told The Register that Scattered Spider was behind these attacks. 

While we know that two of these Okta customers were Caesars and MGM, the same crew reportedly also broke into the systems of three other big businesses. These included a manufacturing, retail, and technology firm – but these other targets have yet to be named. ®