Caesars Cites Social Engineering Attack for Recent Casino Hack

In its 8-K SEC filing, dated September 14, 2023, Caesar’s identified a material breach and what it believes to be the source of the recent hack on its loyalty program member database:

Caesars Entertainment, Inc. (the “Company,” “we,” or “our”) recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company. Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.

To think that to hack into a casino, an institution notorious for its inviolable security mechanisms and protocols, cybercriminals needed only to employ a few human manipulation tactics is jarring. From the new Form 8-K, it appears the hackers breached a third-party IT vendor to gain access to Caesar’s. While Caesar’s neither identified the vendor nor the nature of the services it provided Caesar’s, we can assume, in light of the nature of the third-party’s access, that it was a vendor that provided critical services, and was engaged to ensure the smooth operation of a company's digital ecosystem. With great responsibility comes great risk; and cybercriminals have become adept at exploiting vulnerabilities in third-party vendors, employing a variety of social engineering attacks to breach a company's security.

To recap, cybercriminals pilfered Social Security numbers and driver's license numbers from a substantial portion of Caesars Entertainment's loyalty program clientele, as reported by the renowned hospitality and casino conglomerate. This revelation emerges concurrently with MGM Resorts, another prominent Las Vegas entity, grappling with its own cyber incident, wherein guests recently experienced difficulties in executing room charges and accessing their accommodations via digital keys. A cybercriminal organization initially insisted on a $30 million ransom from Caesars, although the company reportedly paid approximately half of that amount. Caesars intends to offset some of these expenses through its cyber insurance policies.

Nevertheless, Caesars remains optimistic that neither the ransom payment nor its consequences will significantly impact the company's financial performance, as stated in the official filing.

These twin incidents have now cast a glaring spotlight on the cybersecurity fortifications within the multibillion-dollar casino and hospitality sector in Las Vegas, a sector particularly susceptible to the extortion attempts of cyber malefactors.

What are Social Engineering Attacks?

Social engineering attacks are manipulative tactics employed by cybercriminals to deceive individuals or organizations into divulging confidential information, granting unauthorized access, or performing actions that compromise security. These attacks prey on human psychology, exploiting trust, fear, or curiosity to achieve malicious goals. Social engineering attacks can take various forms, and they often involve psychological manipulation rather than technical exploits. Here are some common types of social engineering attacks:

• Phishing Attacks. Phishing is one of the most prevalent social engineering techniques. It involves sending deceptive emails, messages, or websites that appear legitimate to trick recipients into revealing sensitive information, such as login credentials or financial data. Phishing attacks can be highly convincing, with cybercriminals imitating trusted entities like banks, government agencies, or even support vendors.
• Spear Phishing. In a spear phishing attack, cybercriminals target specific individuals or organizations with customized, highly personalized messages. These messages often include information gleaned from extensive research, making them more convincing and difficult to detect.
• Vishing (Voice Phishing). Vishing involves using voice communication, such as phone calls or voice messages, to deceive victims. Attackers often impersonate trusted entities or individuals, urging the target to reveal sensitive information over the phone.
• Baiting. In baiting attacks, cybercriminals lure victims with promises of something enticing, such as free software or media downloads. When victims take the bait and download the malicious file, their devices become compromised.
• Pretexting. Pretexting is a form of social engineering that involves creating a fabricated scenario or pretext to manipulate individuals into disclosing information or performing actions that compromise security. Attackers often pose as someone in authority or with a legitimate need for the information.
• Tailgating and Piggybacking. Physical security can also be compromised through social engineering. Tailgating involves an attacker following a legitimate person into a restricted area, taking advantage of their trust. Piggybacking is similar but involves getting the target's consent under false pretenses.
  
  

Extra Vulnerabilities Introduced by Third-Party Vendors

Outsourced third-party vendors bring significant benefits to a company, such as expertise, cost savings, and scalability. However, they also introduce extra vulnerabilities to an organization's cybersecurity landscape. Here's why:

• Limited Control. When a company outsources support, it relinquishes some control over its systems and data. This limited control can make it challenging to monitor and enforce security measures, leaving gaps that attackers can exploit.
• Access to Sensitive Information. Vendors often have access to sensitive company data and systems. If an attacker compromises their credentials, they gain a direct path to the company's valuable assets.
• Trust Dynamics. Trust is the foundation of any successful outsourcing relationship. Companies inherently trust their IT support vendors to maintain the highest level of security. Cybercriminals exploit this trust, as employees are less likely to question the actions or requests of trusted IT personnel.
• Shared Responsibility. Security is a shared responsibility, but the lines of responsibility can become blurred when third-party vendors are involved. Companies and vendors must clearly define their roles and responsibilities in terms of cybersecurity.
• Communication Channels. Outsourced vendors often rely on various communication channels to interact with the company's employees. Attackers can exploit these channels to impersonate legitimate vendors and deceive employees.

Mitigating Social Engineering Risks Involving Third-Party Vendors

To protect against social engineering attacks on outsourced vendors and the extra vulnerabilities they introduce, companies should implement comprehensive security measures:

• Security Awareness Training. Conduct regular security awareness training for all employees, including training specific to identifying and responding to social engineering attacks.
• Multi-Factor Authentication (MFA). Require MFA for accessing sensitive systems and data, adding an extra layer of security even if an attacker obtains login credentials.
• Vendor Assessment and Monitoring. Perform due diligence when selecting vendors. Continuously assess their security practices and monitor their activities to ensure compliance with security policies.
• Clear Access Controls. Implement strict access controls, limiting the permissions of support personnel to only what is necessary for their tasks.
• Incident Response Plans. Develop and regularly update incident response plans that specifically address social engineering attacks. Test these plans to ensure they are effective.
• Physical Security Measures. Enhance physical security by implementing measures to prevent unauthorized access to company premises, including visitor logs, access badges, and escort policies.
• Regular Auditing. Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in the security posture.
• Encryption and Secure Communication. Encourage the use of encryption for communication channels between the company and IT support vendors to protect against eavesdropping.

No matter how impervious your own security measures might be – whether it’s a casino safe or a list of casino clients or law firm’s clients’ data - social engineering attacks targeting outsourced third-party vendors are a significant cybersecurity threat that organizations must address.

To defend against these threats, avoid fines, safeguard your clients data and preserve your brand companies must adopt a holistic approach to cybersecurity, combining technical safeguards with security training and perpetual vendor assessments.