Ever since gambling was legalized in Nevada in 1931, very little has stood in the way of an industry that never seems to run short of customers with money to lose in its nearly 300 casinos.
They don’t call electronic slot machines “one-armed bandits” for no reason. And yet the idea of walking out of a casino with a fortune has always lurked on the edge of popular culture, most famously in the 1960 Rat Pack heist movie “Ocean’s 11.”
Now it looks as if the casino heist might finally have happened for real with rumors flying about a series of huge ransomware attacks affecting Las Vegas gaming groups in recent weeks.
The most public of these happened late on Sept. 10, affecting MGM Resorts International and several of its Las Vegas casinos. Slot machines fell silent while some customers noticed that the hotel room key systems had started behaving strangely.
Others had reservations canceled or found they were unable to pay for food with debit cards. As elevators stopped working, a number of MGM Resorts International websites became “currently unavailable.”
A day later, the company admitted on X (formerly Twitter) it had been hit by a “cybersecurity issue affecting some of the company’s systems,” which it was investigating with the help of “cybersecurity experts.”
Casinos might look very similar to the casinos of the past, but these days are more like digitalized platforms with bars and hotels attached. That makes them vulnerable to cyberattack. By Thursday, Sept. 14, the company confirmed that the attackers accessed its loyalty program database, turning the incident into a full-blown data breach.
Some details have yet to be confirmed but it was no surprise that suspicion pointed toward a ransomware attack. Cue the influential VX-underground feed on X, which claimed that the attack was the work of the BlackCat (ALPHV) ransomware group, courtesy of information passed to them by the attackers themselves.
How did the attackers get in? According to this source, the attack unfolded using simple social engineering:
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
The MGM Resorts has since been claimed by a new ransomware group, “Scattered Spider,” which might have connections to BlackCat. A ransom was demanded which, VX-underground said, they doubted would be paid.
And yet there are reports that at least one other casino group reportedly recently paid a $30 million ransom to attackers to prevent data from being published.
Normally, the chances of a company revealing further details of the attack would be small, but Nevada might be an exception thanks to gaming regulation NRS 463.0129. Passed at the beginning of 2023, this requires organizations to notify gaming regulators of an incident affecting personally identifiable information (PII) within 72 hours.
In effect, Nevada enacted cybersecurity reporting regulations specifically for its gaming industry, something normally reserved for critical infrastructure. That might be the point—for Nevada, gaming is a form of critical infrastructure.
What does this extraordinary assault on Nevada’s gaming industry tell us? Sadly, it’s that we should forget the glamor of “Ocean’s 11” or any of the subsequent remakes featuring photogenic Hollywood actors. That was an entertaining fantasy. Today’s heists are dull digital events conducted from thousands of miles away by hackers who’ve probably never heard of Frank Sinatra, Sammy Davis Jr., or Dean Martin.