The World Game Protection Conference recently took place at the Tropicana Las Vegas. Among the speakers was Vaillance Group Chief Executive Officer Shawnee Delaney, a former clandestine officer with the Defense Intelligence Agency who conducted human-intelligence operations in Iraq and Afghanistan. Delaney discussed security vulnerabilities faced by casinos.
She said, “You might be wondering what a former spy is doing here today and what espionage has to do with security and cybersecurity. A lot. Spies, social engineers and other malicious actors all use the exact same techniques to get access to you and your people, systems and network.”
Delaney noted casinos rely on third parties for services, resulting in hackers accessing casinos via third-party systems. In fact, she said 51 percent of gaming industry companies believe they’ve been the victim of a data breach caused by a third party. “Third-party threats are the most often overlooked. Can you control who they’re hiring and if they’ve gone through training? You have no control over these third parties and this is something you’re going to have to assess,” Delaney said.
She also addressed how casinos use internet connections for wearable devices, cameras, motion detectors, consumption-tracking technology, trackable casino chips and checking in and out of hotels. Delaney said a casino hotel was hacked via its fish tank’s internet connection. “You’d never think that a thermometer for a fish tank would be exploitable. Hackers got in, disrupted the network, took everything and pulled it up into the cloud. Integrity, confidentiality, availability−all gone.”
Online gaming also is a prime target for hackers who access customer accounts and steal banking details and other personal data. The damage extends to expensive investigations and triage, as well as negative media coverage. When the Las Vegas Sands and Hard Rock Hotel & Casino were hacked a decade ago, they lost a total of more than $1 billion on gaming websites and operational networks. The Sands hackers, connected to the Iranian government, got hold of earnings, staff, and customer information, Delaney said.
She also mentioned the 2014 hacks of the Venetian and Palazzo, owned by the Sands, resulting in losses of $40 million as websites were hacked and taken down and personal information of staff and high-profile customers was taken. Delaney also noted BetMGM and DraftKings were hacked late last year, with more than 2 million accounts offered for sale on the dark web.
Delaney stated the most prevalent threats typically exist within an organization, including fraud, sabotage, espionage and theft of intellectual property and trade secrets. Workplace violence also has to be considered. Employees can be fooled of manipulated to reveal credentials to hackers, Delaney said. In fact, when the Covid-19 pandemic began, gaming companies experienced a “significant rise” in insider fraud and theft of intellectual property.
Delaney noted, “People, I think, were hedging their bets. There were a lot of job losses and a ton of layoffs, especially in the tech sector. People were really worried about how they were going to provide for their families. So, they pocketed stuff, either money or technology.”
Surprisingly, more women than men commit fraud, Delaney said. She explained fraud usually is committed by lower-level staff and unsophisticated people, motivated by low pay, job frustration, lack of loyalty, debt, addiction, revenge and a hostile work environment. It mostly occurs during business hours, Delaney said.
Malicious insiders who commit espionage or IT sabotage primarily are male engineers or scientists with technical positions and privileged access, Delaney said. These threats make up about 10 percent of cases and take place after business hours, causing business disruption about 75 percent of the time. Motivations include financial gain, politics, addiction, revenue and power.
Delaney said casinos need to create a strong insider-threat program, conduct threat-vulnerability assessments and institute training and awareness across the company. “Build awareness campaigns, have training, do Hollywood videos and do microlearning. Do whatever you have to do. There’s a return on investment. You don’t want to wait until there’s a horrible fish-tank incident,” she cautioned.
