Around September 7, 2023, Caesars Entertainment allegedly suffered a massive data breach, in which a group known as "Scattered Spider" infiltrated the company's IT vendor through social engineering.
As a result, the cybercriminal group was allegedly able to download Caesars' loyalty program database, which includes the personal identifiable information ("PII") of more than 65 million rewards program members. The group then demanded a $30m ransom, of which Caesars reportedly paid half.
Affected hotels and casinos may include Caesars Palace, the Cromwell, the Flamingo, the Horseshoe, the LINQ Hotel & Casino, Paris Las Vegas, Planet Hollywood Resort & Casino, Harrah's Las Vegas, and the Rio All-Suite Hotel & Casino.
Although Caesars has not yet confirmed exactly what data was stolen in the breach, it informs rewards program members that it may collect a wide range of PII, including full names addresses, phone numbers, email addresses, credit card numbers, Social Security numbers, driver's licenses, passport numbers, license plates, geolocation data, birthdates, purchase information, gaming activity information, biometric information, and health information.
As a result, Caesars customers have likely been exposed to increased risks of fraud, identity theft, and other serious misuse of their PII.
Customers may be entitled to money damages and an injunction requiring changes to Caesars' cybersecurity practices.
Cyberattacks have become increasingly frequent in the hotel industry, with Motel One Group, one of Europe’s largest hotel operators, recently falling victim to a data breach.
To tackle cyber threats like Caesars's, a company’s cybersecurity strategy must involve contingency planning, outlining immediate actions, post-data breach responses, and an understanding of the company’s current cyber risks.