Caesars Entertainment confirmed that a social-engineering attack beginning in mid-August led to the theft of data from members of its customer rewards program, according to a filing with the Maine attorney general’s office.
The social-engineering attack on an outsourced IT support vendor resulted in unauthorized access on Aug. 18 and led to a data breach on Aug. 23, according to information in the Friday filing. The company said the breach was discovered Sept. 7.
Caesars did not disclose a total number of customers impacted by the breach, but information listed in the Maine filing shows 41,397 Maine residents were affected.
As previously reported, Caesars disclosed the hack in a Sept. 14 filing with the Securities and Exchange Commission after Bloomberg disclosed the attack.The customer loyalty database included Social Security numbers and drivers license numbers for members, according to the SEC filing. There was no evidence of payment card or bank account data being accessed.
Caesars paid millions of dollars to the Scattered Spider threat group after it hacked the company and threatened to release company data, Bloomberg reported on Sept. 13. There is no reference to ransomware in the consumer disclosure, raising questions about whether the company is holding back details about the nature of the attack.
The disclosure came just one day after MGM Resorts disclosed a cyberattack with the Maine attorney general’s office. Security researchers say MGM Resorts was attacked by the same threat groups using similar methods as the Caesars Entertainment attack.
MGM Resorts disclosed it would take a $100 million financial hit from the attack, which severely impacted room occupancy, gaming operations and entertainment at its Las Vegas properties.
Multiple class action lawsuits have been filed in federal court against MGM Resorts and Caesars Entertainment by customers claiming negligence and unjust enrichment.
Scattered Spider is suspected of working with a group called AlphV/BlackCat, using a voice-phishing technique to trick IT support or call center workers into bypassing multifactor authentication.
The Caesars timeline raises questions about just how long the hackers were inside the company systems before they were either discovered or made themselves known to the company in a ransomware attack.
Ransomware groups have developed the ability to access and encrypt data much faster and mask their activities in recent times, which makes it more difficult to detect.
A report released Thursday by SecureWorks shows that median dwell times have dropped significantly to less than a day from 4.5 days, just 12 months ago.
“The median dwell time dropping shows that, across all ransomware incidents, we’re seeing more actors trying to get in and out as quickly as possible,” Chris Yule, director of threat research at Secureworks’ Counter Threat Unit, said via email. “This reduces the chances of them being detected, but also the amount of damage they can do and the ransoms they can charge.”