Caesars Entertainment has authenticated reports of a cyber intrusion, affirming the breach of its loyalty program database. In a agreement to the Securities and Exchange Commission on 14 September, the company disclosed that it initiated response procedures and launched a probe after identifying “questionable activities” across its broader network. The company attributed the incident to a social engineering assault on its outsourced IT support.
Subsequent to the investigation, it was disclosed that the culprits had gained access to customer data, including a duplicate of Caesars’ loyalty program database. This database encompassed driver’s license numbers and social security numbers of various program members.
Caesars clarified that consumer-facing aspects like Caesars Entertainment locations and mobile gaming applications were unaffected by the breach.
Caesars noted that it had taken “measures to ensure the unauthorized party erases the stolen data” post the breach; however, it acknowledged that ensuring this outcome was not guaranteed. The company confirmed that no evidence suggested passwords, PINs, or bank account data had been compromised.
The acknowledgment of whether a ransom was paid remained undisclosed by Caesars. Nevertheless, sources without identification reported in the media that Caesars made substantial ransom payments to the cyber attackers.
This incident was not the sole hacking episode reported during the week. MGM Resorts had to halt its systems upon detecting a cybersecurity issue on Monday, leading to disruptions in slot machines and hotel room access at MGM Resorts properties, as indicated in social media posts.
On 12 September, MGM Resorts confirmed via X (formerly Twitter) that its resort facilities were still functional, assuring guests of continued access to hotel rooms. Earlier today, it was revealed that efforts were ongoing to resolve the cybersecurity issue.
In its submission, Caesars underscored its enhancements to deter the recurrence of such incidents. The company expressed its belief that while complete eradication of cyber threats is impossible, it has undertaken suitable measures, collaborating with leading third-party IT consultants, to fortify its systems against future threats. These efforts are in continual progress.
Caesars also confirmed that it had incurred expenses related to the breach but did not anticipate any adverse impact on its future financial results.