Las Vegas Sands Corp. said Friday “some legally protected data” was stolen from customers and employees of the company’s hotel-casino in Bethlehem, Pa., following last month’s sophisticated cyber attack on the casino operator’s internal computer operations.
Legally protected data includes Social Security numbers, drivers license numbers and passport numbers.
The company did not reveal the number of customers or employees affected by the information theft in a filing with the U.S. Securities and Exchange Commission Friday. However, Las Vegas Sands spokesman Ron Reese, when pressed, said the number was “in the mid five-figure range.”
Las Vegas Sands said it was unclear if credit card information from customers and employees of the Sands Bethlehem was also stolen in the attack.
The company, which owns casinos on the Strip, Macau, Singapore and Pennsylvania, said it was still determining the full extent of the hacking that took down the company’s Web presence for nearly a week, starting Feb. 11.
Reese said the number of customers identified represents “less than 1 percent of our total visitation to the property.”
Sands Bethlehem has a 300-room hotel and is the second-largest casino in Pennsylvania with 3,012 slot machines and 183 table games spread across a 145,359-square-foot gambling floor. The casino produced the most gaming revenue of Pennsylvania’s 12 casinos in 2013 and contributed almost $500 million in net revenues to the company in 2013.
Las Vegas Sands said a mailing database, “similar to what any direct marketing firm would use for promotional purposes,” was also stolen from the casino.
“We deeply regret that this data breach occurred, and we are working to ensure that the identified customers are protected,” Reese said in the statement. “Las Vegas Sands is providing credit card monitoring and identity theft protection and we are notifying those customers about this coverage.”
Reese said the company made a toll free number and a website available for anyone with questions or concerns. The Sands Bethlehem Data Breach Information Line can be reached at 1-866-579-2213 and the website address is www.sandsinfo.com.
The attack, which is being investigated by the FBI and the U.S. Secret Service, also compromised the casino operator’s internal operating systems, including email and other corporate functions.
In the SEC filing, Las Vegas Sands said the attack may have destroyed certain company data. Las Vegas Sands was unable to determine the financial loss from the cyber attack, “based on the preliminary status of the investigations and the absence of claims asserted thus far.”
In a statement, Las Vegas Sands has not yet determined if customer and employee information had been stolen from its other casinos, including The Venetian and Palazzo on the Strip.
“We continue to work diligently with law enforcement officials and internal and external forensic IT experts to recover damaged data, restore lost data and determine the extent of data impacted in Las Vegas, as well as to ensure that the cyber criminals are identified and prosecuted,” Reese said.
The cyber attack forced Las Vegas Sands to remove all the company’s individual casino websites as well as the company’s corporate website from the Internet. The company’s presence was restored almost two weeks ago, but the website were scaled down from their original features.
In video images from the original cyber attack, hackers defaced the company’s casino websites with images condemning Las Vegas Sands CEO Sheldon Adelson for comments he made last fall at Yeshiva University in New York about using nuclear weapons on Iran.
Adelson is an outspoken supporter of Israel and a generous donor to Republican candidates.
The hackers at one point referred to themselves as the “Anti WMD Team.”
Two weeks ago, a 11-minute video surfaced purporting to show stolen internal company information and taunting the company. The video was e-mailed to several media outlets and was posted to YouTube.com, but was pulled down by the website.
The video showed what was described as internal information from Sands Bethlehem, including passwords, employee files, and other private information about the casino and its workers.
Bubble quotes with the words, “Do you really think that only your mail server has been taken down?!! Like hell it has!!”, “So there!!!” and “Wow!” were superimposed on screens showing central server identification and proprietary information from the casino.
Contact reporter Howard Stutz at email@example.com or 702-477-3871. Follow @howardstutz on Twitter.