‘60 Minutes’ Exposes Catastrophic Threats to Casino Cybersecurity

When it comes to the biggest casino companies in the world, it appears the cats have become the mice.

Casino gambling has always been a cat-and-mouse game on different levels -- between gamblers and the house, advantage players against pit bosses, and sports bettors versus oddsmakers. 

Getting the best of it – including stealing from casinos – seems almost Robin Hood-esque. Indeed, in pop culture we often cheer for the thieves and robbers when they're taking on Big Casinos, as evidenced by four wildly-popular Oceans movies (11, Eleven, Thirteen, Eight), and counting.

Okay, so robbing casino vaults in those films may have been purely fiction. But even in real life, it’s hard to muster up much sympathy for corporations that rake in hundreds of millions in annual profits, yet squeeze every gullible victim who walks in the door for maximum gain and pain.

​​"More money has been stolen with the point of a pen than at the point of a gun." - Warren Buffett

Now, casino heists have evolved with the times. Cyber-thieves employ sophisticated high-tech tools and 21st century tactics. This usually means no more life-or-death risks at the barrel of a gun. No need to haul vast sums of loot out the door in duffel bags, either. No need to even be in Nevada to rob a Las Vegas casino.

Today, access to the vault comes by text and keystroke in a new game of cat and mouse-clicks. And the stakes are bigger than ever, as evidenced by two attempted casino heists this past fall. 

The Scattered Spider casino attacks gave a glimpse at the future of corporate-sized cybershakedowns.

Cyberattacks Prove Crime (Sometimes) Pays

On Sunday, venerable TV news magazine 60 Minutes ran a feature on cybersecurity and hacking. The most high-profile attack recently was last year’s dark web ambush and data breach targeting casino mega-giant MGM Resorts.

So, what happened? Well, Las Vegas was turned upside down for days.

In September 2023, hackers were able to break into MGM's company-wide computer systems to launch a massive ransomware attack. The disruption led to immediate operational failures system wide, including disabling most online reservation systems, digital room keys, slots, and online operations.

Gamblers playing video devices suddenly saw their machines go to a blue screen. Guests couldn’t get into their rooms. Elevators stopped working. Visitors who parked their cars in MGM garages couldn’t even exit the parking lots. Essentially, the cyberattack completely shut down the company. Losses have been estimated at $100 million, so far.

According to the report, the blackmail-for-ransom scheme was just the latest attempt to shake down major targets with deep pockets. Casinos, health-care providers, energy companies, and even government agencies have all been attacked. Hackers, who are often hard to locate and even more difficult to arrest and prosecute, threaten to disrupt computerized operations unless a ransom is paid. Sometimes, the demands are for millions of dollars.

On this most recent occasion, BlackCat, a North America-based cyber gang claimed "credit" for the security breach. Investigators later learned this loosely-affiliated group of hackers was linked with another dark web syndicate named Scattered Spider, one of the world's most notorious international criminal hacking organizations.

Scattered Spider now operates with nearly full autonomy from Russia and mostly targets governments and businesses located in the West, including the United States.

Read More: ​​Cybersecurity investigators worry ransomware attacks may worsen as young, Western hackers work with Russians [CBS News]

The MGM attack wasn’t an isolated incident. Incredibly, a nearly identical threat on Caesars Entertainment occurred just a few weeks prior. The difference: Caesars paid the ransom! Hackers reportedly demanded $30 million from Las Vegas’ other casino mega-giant, and then settled for about half. Hence, Caesars (temporarily, as for now) avoided mass disruptions while their competitor reeled.

Yet, one must still wonder how long it will be before another hefty ransom demand is made, Does anyone expect this to stop – especially since a major company capitulated to threats?

The ransom “business model” has proven that crime pays – sometimes. After Caesars, the same hacking group allegedly moved next on to MGM Resorts. When that company refused to pay, they were attacked.

Advantage: Hackers

Cyber attacks might be as close to a “perfect crime” as things get. The prospect of acquiring millions in ransom payments, typically transferred via cryptocurrencies (most of which is untraceable) makes this form of high-tech crime a perpetual temptation. The risk-reward ratio makes cyber crime not just expected, but inevitable.

These criminal networks also tend to employ vast numbers of skilled cyber specialists, including hackers. Talent is state-of-the-art, despite many cybercriminals being only in their early 20s or even teenagers.60 Minutes reported that some hackers have been discovered to be as young as age 13.

Worried that the threat is bad now? Just wait until they grow up.

Moreover, many hacking networks are operating far beyond the reach of conventional American law enforcement. A sizable percentage orchestrate attacks from outside the United States. Even when hackers are located by city and country and sometimes even identified by name, it's usually impossible to arrest and prosecute those who are guilty of ransomware-related crimes. So, many cybercriminals operate with few negative consequences, and so many easy targets leave their ongoing vulnerabilities exposed. 

What makes cyber crimes relatively easy to pull off for those skilled enough to hack into vast computer systems is that the target is only as safe as the weakest link.

For example, the 2023 MGM Resorts break-in all started when a hacker impersonated a casino employee and called the company asking to reset a password to log in. Once the hacker was able to sign on and infiltrate the casino-resort’s extensive network, the attack was launched.

The hackers didn’t get money from MGM Resorts despite their dubious efforts, but the attack was an unmistakable warning shot and devastating proof of the serious dangers and financial costs of what can happen when the bad guys follow through on their threats.

Why Do Casino Cyberattacks Matter?

Even if you're unsympathetic to the plight of the casino industry, or don't work in the sector, all consumers should be aware of the critical dangers posed by these threats. This particularly pertains to gamblers.

Online gambling -- including standard casino games, sports betting, and poker -- will continue to increase their market share. Over time, this makes individual gamblers attractive targets. We've already seen multiple scandals in online poker, some even perpetrated by online operators.

One expects that as volume increases, so too will nefarious attempts to violate cyber security. Land-based casino activities are just as vulnerable. Accordingly, every gambler should take precautions.

Hackers and their gangs are certain to copycat the crimes that work, and will continuously upgrade those that don't. Bringing MGM Resorts to a standstill last year could be the first tumbling domino in bringing down a major medical network this year and then a major bank next year. Then, it's a total free-for-all.

As proof of this persistent threat, recall the Colonial Pipeline ransomware cyberattack, which impacted 65 million Americans in May 2021. More than half of all fuel consumed on the East Coast was transported via a pipeline system that was shut down.

The attack stopped only after the company paid out a $4.4 million ransom. And America couldn't deny that it’s energy supply was alarmingly susceptible to assault.

Paying ransoms? That seems terribly self-defeating in the long-term for everyone. Feeding the beast isn't a solution. It just makes the beast bigger and more dangerous. However, what options are there and is there any solution?

The FBI’s cyber division focuses its efforts on computer intrusions, identity theft, and cyber fraud. (Image: American Photo Archive/Alamy)

Did MGM Make the Right Move?

MGM's decision not to pay hackers is in line with official guidance from the Federal Bureau of Investigation, which doesn't support anyone paying ransom. Doing so doesn't guarantee that a company will recover its data, but does reward hackers and encourage bad actors to target more victims, the FBI's website says.

So what (if anything) are major casino companies are doing to reduce the threat of sophisticated cyberattacks. Understandably, most are reluctant to disclose specifics.

It doesn’t bode well for future prospects and countermeasures that ransoms have been paid in the past. One must wonder if MGM Resorts would make a Faustian bargain – as Caesars did – to pay the hackers a smaller sum next time rather than risk losing another $100 million while irritating thousands of customers. This could be a dilemma they, or another major company might face.

It doesn't help matters that the so-called "good guys" are also fighting among themselves. This week, MGM Resorts sued the Federal Trade Commission in an attempt to block a federal probe into the 2023 hack.

MGM said it was seeking to quash the FTC's demands for information because the casino giant was not a financial institution and therefore was not subject to FTC rules governing consumer financial data.

I reached out to MGM Resorts about the 60 Minutes investigative story with some of the questions brought up here, but no representative has responded to my inquiry so far.

However, after the 2023 cyberattack, MGM Resorts released a public statement, noting that the company immediately launched an investigation upon learning of the breach and hired leading cybersecurity experts to assist in coordinated efforts with law enforcement. 

"MGM Resorts takes the security of its systems and data very seriously and has put in place additional safeguards to further protect its systems," the company statement said.

My View

Generic corporate responses to legitimate consumer concerns are neither satisfactory, nor sufficient. Cyberattacks will most certainly happen again. No one is safe from these threats – individuals and multinational corporations are alike.

Until the risks outweigh the rewards, and that doesn’t appear anywhere close to happening in today’s cyber and legal landscape, casinos and other gambling-related companies should brace themselves for future attacks. Cybercrime in casino-resorts and gambling has become inevitable. 

And the more we come to understand about the most recent high-stakes attacks, the more we learn how vulnerable we are.

Always opinionated and often controversial, Nolan Dalla has written extensively about Las Vegas and the casino gambling scene for 30 years. When he's not writing and gambling, he loves dining out, drinking cheap wine, and avoiding getting a real job. Dalla also goes on massive tilt when losing, and is known for some epic, profanity-laden rants. Contact him directly at:[email protected].