Updated September 23, 2023 - 11:36 am
A gaming regulator has asked for a public update on the cybersecurity attacks on two major casino companies.
Nevada Gaming Commissioner Brian Krolicki, at the conclusion of Thursday’s commission meeting, asked for details on the attack on MGM Resorts International that began Sept. 10 and crippled the company’s computer systems for nine days as well as the late August attack on Caesars Entertainment Inc. in which the company reportedly paid a multimillion-dollar amount in a ransomware extortion plot.
“Right now, the priority is just recover and make sure that patrons are made whole and the systems are secure,” Krolicki said at the conclusion of the meeting. “But I think at some point in time when there’s the energy and understanding of what just happened if we could get some kind of briefing on what’s transpired that’s appropriate for public record and perhaps a policy going forward.”
MGM and Caesars have provided few details about the separate incidents, reportedly carried out by two Eastern European hacker gangs based in Russia.
Representatives of MGM had no comment on Krolicki’s remarks and Caesars did not respond to emailed inquiries.
MGM on Thursday said its credit card systems are back on line after being knocked out for several days.
Customers told the Las Vegas Review-Journal they were concerned about a practice of clerks asking them to write down their credit card numbers for later processing. In some cases, customers said they still hadn’t seen charges made on cards.
A company spokesman explained that while the credit card system was offline, the company used a modified system it only uses under those circumstances. The spokesman said written names and numbers are kept under lock and key, processed and then destroyed. He speculated it may have taken a little longer than expected for some customers since everything was done manually when the systems were down.
There also are scattered reports that guests have canceled their stays at MGM properties fearing that the hack may have exposed personal information publicly. MGM has not commented on details about cancellations or any other aspect of the attack.
Krolicki’s request could not be acted on because it was made during a public comment period.
“How do we avoid these things if they do happen, what are the reporting schemes?” he asked. “Were they immediately reported to the Gaming Control Board? There are a lot of questions and a lot of publicity. It’s a global story and I just believe it would behoove all of us to get a handle on what just happened.”