A mandatory filing has revealed that Caesars Entertainment quietly made a ransom payment to resolve a cyber attack in August, just before rival company MGM was hit. Both appear to have been hit by a relatively new group called “Scattered Spider” that was able to use social engineering against help desk employees.
Caesars negotiated the ransom payment down to $15 million from an initial demand of $30 million, and does not appear to have experienced any disruption to its operations. The incident is interesting as it provides a literal side-by-side example of two businesses in the same industry handling the same cyber attack, but with completely different outcomes as MGM enters its second week of trying to restore its normal operations after refusing to make a payment.
Smooth sailing for Caesars after ransom payment
Making a ransom payment is never a guarantee of a positive outcome, but given how hard their Vegas Strip rival was hit, it’s hard to say that they made the wrong choice in this particular situation. Caesars does not appear to have ever lost normal operation, and is now reaping the benefit of frustrated players and vacationers leaving MGM properties that continue to have game and amenity outages.
Had MGM also chosen to make a ransom payment, we might now know fewer details about the attacker and exactly what happened. Scattered Spider has now taken to the dark web and social media to chastise MGM for poor security and internal communication, and has revealed that it hit the company’s virtual machine system with ransomware.
Caesars says that its cyber insurance will only partially cover the ransom payment, but that it does not expect the incident to have a material impact on its overall business. As of Monday, a little over a week after the MGM cyber attack began, customers were still on social media reporting sporadic issues with the casino’s loyalty program functions and slot machines on the gaming floors.
The Caesars filing also indicates that cyber attack was initiated via social engineering. This appears to be a signature of Scattered Spider, whose members are thought to be in the US and UK. In both cases it appears that a help desk employee was targeted, scouted out via LinkedIn prior to the attack.
Caesars reveals that hackers exfiltrated loyalty program database in cyber attack
One of the big concerns that remains in the MGM cyber attack is exactly what customer and employee information may have been exfiltrated, as at this point it seems to be destined either for sale on the dark web or public dumping. Caesars says that it made its ransom payment to prevent a stolen copy of the loyalty program database from similarly going public; this did not contain payment information, but did have some Social Security and driver’s license numbers. MGM experienced a breach in 2019 that involved the leak of information from 10.6 million hotel guests; that data set has since been dumped to Telegram and other sources for free access.
MGM and Caesars are the two heavyweights of the Vegas Strip, each owning multiple properties that are often grouped together to dominate individual blocks of the gambling haven. MGM has not yet specified exactly what information was stolen; Scattered Spider has claimed that it took six terabytes of data from the company, but has yet to leak anything to the dark web.