With large troves of sensitive consumer financial data and more cash transactions per minute than some of the world’s largest banks, today’s gaming and casino institutions are ideal targets for cybercriminals seeking hefty payouts. Casinos also have to guard multiple points of entry, from on-site stores, restaurants, entertainment venues, ATMs and point-of-sale (POS) systems, to consumer-facing online websites and mobile apps and internal email servers, systems and networks.
The importance of cybersecurity in the gaming industry is not a new revelation. The Nevada Gaming Control Board has reminded the industry that failure to review security measures and comply with security obligations under applicable federal, state and local laws may be considered “an unsuitable method of operation,” resulting in disciplinary action. But rapid changes in technology, the rise of the Internet of Things (“IoT”), and the ubiquity of digital data collection activities have posed unique and complex problems for the industry.
The increasing use of IoT devices has expanded opportunities for bad actors to gain access to gaming industry networks. In the summer of 2017, a North American casino installed a high-tech fish tank designed to automatically feed the ﬁsh and maintain their environment. While internet connectivity proved convenient and efficient to this effect, it also created an unfortunate vulnerability in the casino’s security that was exploited by hackers to gain access to the casino’s network.
Wi-Fi networks, a consumer amenity in high demand, can provide casinos and gaming institutions with valuable insights into its consumers. But they are also particularly susceptible to hacking and can be used to siphon customer information and/or as a gateway into the casino’s network.
Player cards may also be an attractive target for cybercriminals, given the significant number of players utilizing them at any given time and the vast quantities of cash loaded on or accessible through them.
Email has enabled global connectivity in real time, but a single link in an email opened by an unwitting employee can wreak havoc on a casino’s systems. Last year, a cybersecurity breach at three Canadian casinos spanning three years resulted in a ransomware attack and significant business operation losses. At least two of those instances were effectuated through spearphishing attacks targeting employee emails.
Use of third-party software and services can create vulnerabilities for which gaming operators may ultimately be liable. This past year, a breach of a third-party reservation system affected hotels and casinos worldwide. Additionally, a casino operator’s data from its payment card system was compromised through a backdoor on its virtual private network (VPN) and another casino operator uncovered unauthorized access and malware on its card processing network.
Cybercrime poses a very real and very serious threat to the gaming industry. The sophistication and success rate of cyber attacks has increased over the years. Courts are also increasingly willing to expand standing for plaintiffs alleging intangible future harm in data breach actions. While the size and resources of gaming institutions make them a prime target for cybercriminals, it may also be their biggest strength. Many gaming institutions are sophisticated and have implemented and maintained robust cybersecurity programs, leveraging innovative technologies and employing cybersecurity experts to bolster its defenses.
But irrespective of size, for gaming institutions to succeed amid today’s ever-expanding cyber threat environment, they must stay apprised of the dangers that new and existing technologies pose and react accordingly. This includes testing and updating technologies, implementing appropriate policies and procedures, exercising oversight of vendors through appropriate due diligence, audits, and contractual requirements and conducting appropriate employee training at regular intervals. While preventative measures are imperative, they alone are not sufficient, as no system or safeguard is impenetrable. As such, gaming institutions would be well advised to develop well-defined disaster recovery protocols, business continuity, and incident response plans and to conduct regular training to ensure that when the time comes, they can be activated as seamlessly as possible.
With cybercrime on the rise and costs associated with breached data and business interruption growing, the house simply cannot afford to gamble on its cybersecurity program.
Tracy L. Lechner, Shareholder & Ellen Whittemore, Shareholder, Brownstein Hyatt Farber Schreck
Learn how to sponsor featured content by clicking here.