Caesar’s Entertainment recently was hacked by malicious actors, taking terabytes of information stored in their servers. As a result, they were sued by their rewards members in a class action for failing to disclose that their accounts were compromised. The class action suit represents a step up for exposures in the growing cyber security landscape.
On September 7th, the entertainment giant’s servers were hacked through an outside vendor, stealing the loyalty rewards members database. This ransomware attack was able to obtain over 6 terabytes of data. This data included social security numbers, rewards accounts and even credit card information. For a week, the hackers held the information ransom until they were paid over $15 million dollars to get the information back.
Casers is not the only entertainment company that has faced hacks. According to identity management company Okita, “Five of their clients, including MGM and Caesars were hacked in the last month. David Bradbury, chief security officer of the identity management company Okta, said five of the company's clients, including MGM and Caesars, had fallen victim to hacking groups known as ALPHV and Scattered Spider since August.
San Francisco-based Okta, which says it has more than 17,000 customers around the world, provides identity services such as multi-factor authentication used to help users securely access online applications and websites. Multiple breaches it identified at its customers last month prompted the company to issue an alert then, Bradbury said.
"We saw this happened in such a small period of time and we thought we should be coming forward to the industry at large and explaining what's happening here," he said.(1)
Social engineering is believed to be behind this type of attack. A hacker will use a fake email to target someone with the right credentials. With the realistic emails, they get the information they need before hacking their way through and stealing the data they need before holding it ransom. What makes this unique is that it is the same group that attacked Caeser’s also attacked MGM and other clients in the span of a month. MGM eventually paid their ransom, but Caeser’s had not, resulting in the compromise and theft of their data.
This has resulted in a class action lawsuit, with Miguel Rodriguez as the named plaintiff on the behalf of all the rewards members. In the filing, the suit, alleges, “Plaintiff seeks to hold defendant responsible for the injuries defendant inflicted on plaintiff and tens of thousands similarly situated persons due to defendant’s impermissibly inadequate data security, which caused the personal information of plaintiff and those similarly situated to be exfiltrated by unauthorized access by cybercriminals at a still undetermined and/or undisclosed time but was otherwise discovered on Sept. 7. (2) Further quotes from Rodrigeuz tells the court that even though they reported it on the 7th, they do not how long these systems were compromised. Considering the size of the hack, it is speculated they were there for at least a couple of days.
Caeser’s and MGM’s breaches show that social engineering is still a substantial threat to everyone and that most companies still have not figured out cyber security. The litigation that has evolved from this shows that if companies are not careful, they open themselves to multibillion-dollar suits and claims. This hack also shows that the size of the breaches is getting bigger and more complex, something that everyone should take not of and prepare.