Nevada’s top gaming regulator says it isn’t likely the Nevada Gaming Control Board will discuss the cybersecurity attacks on MGM Resorts International and Caesars Entertainment Inc. anytime soon because the matter is an active police investigation.
Gaming Control Board Chairman Kirk Hendrick on Wednesday said the board “is now acting in its capacity as an investigative and law enforcement agency to support the gaming industry and protect the state of Nevada and its citizens and visitors.”
The FBI confirmed in September that it was investigating the cyberattacks that effectively shut down most of MGM’s computerized systems. The company reported later in the month that most systems had returned to normal.
The disruption affected MGM properties nationwide for nine days while Caesars had few public-facing problems because the company reportedly paid a multimillion-dollar ransomware demand.
“Nevada’s gaming regulators were forward-thinking last year when Nevada Gaming Commission Regulation 5.260 was adopted to mandate that certain nonrestricted licensees must develop cybersecurity best practices, and thereafter continually monitor and evaluate those practices,” Hendrick said during a break from Wednesday’s Control Board meeting.
“Pursuant to the statutory directive of the Gaming Control Act, it would not be prudent to publicly review any particular licensee’s cybersecurity practices or response to any incident,” he said. “If updates to the cybersecurity requirements outlined in NGC Regulation 5 are warranted, those matters will be discussed in public board and commission meetings.”
Hendrick’s remarks came as the aftereffects of the cybersecurity attack continued to give some MGM customers jitters.
BetMGM customers complained on social media late Tuesday and early Wednesday that they were unable to access their mobile betting accounts.
A spokesman for BetMGM acknowledged the problem, but said it had nothing to do with problems MGM had in September.
“We are aware of a technical issue earlier today that resulted in some customers experiencing delays or difficulty accessing their accounts,” a BetMGM spokesman said in an emailed statement Wednesday. “That issue has been resolved.”
A person familiar with the situation said reports that cybercriminals had redirected mobile betting funds to different altered accounts were unfounded.
Meanwhile, a 10th class-action lawsuit seeking damages from either MGM or Caesars was filed Wednesday in U.S. District Court in Nevada.
David Terezo, who was identified in the lawsuit as an MGM Rewards member from Woodbury, New York, became the 10th person to file a lawsuit alleging that MGM failed “to prevent a cyberattack that resulted in the theft and dissemination of plaintiff’s and other similarly situated consumers’ sensitive information, including … their full names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers and/or driver’s license numbers.”
The lawsuit seeks unspecified damages from the company and a demand that it better protect its data through encryption, to have regular third-party checks to assure compliance and to educate employees to prevent further attacks that could compromise customers’ personal information.
MGM officials had no comment on the new lawsuit and neither MGM nor Caesars have commented on previous lawsuits.
Legal experts, on background, told the Review-Journal Wednesday that it is likely a judge assigned to the case would move to consolidate the class-action complaints into one action because they are similar to each other and complex.