Law firms representing customers of Caesars Entertainment and MGM Resorts International have filed five class-action lawsuits against Caesars Entertainment and MGM Resorts International, alleging failure to protect customer data during recent cyberattacks.
An apparent ransomware attack afflicted MGM Resorts beginning on September 10, disrupting the company’s reservation, POS and room-key systems for 10 days. It followed another cyberattack on Caesars Entertainment the operator reported to the U.S. Securities and Exchange Commission (SEC), which did not disrupt operations but compromised personal information in the 65 million-member Caesars Rewards database.
Law firms Stranch, Jennings and Garvey PLLC, a Las Vegas practice, and Kopelowitz Ostrow Ferguson Weiselberg Gilbert, a Florida practice, filed four lawsuits—two against Caesars and two against MGM—on September 21. A fifth lawsuit was filed the next day against Caesars by Reno-based O’Mara Law Firm and Chicago-based Barnow and Associates.
The lawsuits represent Caesars and MGM customers in various states. They allege the operators failed to safeguard personal information and failed to comply with Federal Trade Commission guidelines and industry standards for maintaining proper cybersecurity efforts.
Attorneys representing the plaintiffs, and both operators, did not respond to requests for comment, according to the Las Vegas Review-Journal. No information has been released on damages being sought.
Meanwhile, Nevada Gaming Commissioner Brian Krolicki has called for a public update regarding the cybersecurity attacks.
During a commission meeting held on September 21, Krolicki requested information on both cyberattacks.
“Right now, the priority is just to recover and make sure that patrons are made whole and the systems are secure,” Krolicki said at the conclusion of the meeting, according to the Review-Journal. “But I think at some point in time when there’s the energy and understanding of what just happened, (we would like to) get some kind of briefing on what’s transpired that’s appropriate for public record and perhaps a policy going forward.”
While MGM and Caesars have not publicly discussed whether they paid ransom to restore their systems, several reports have pointed to an Eastern European ransomware group called Scattered Spider, with one report saying the group has claimed responsibility for both attacks.
“How do we avoid these things if they do happen, and what are the reporting schemes?” Krolicki commented to the Review-Journal. “Were they immediately reported to the Gaming Control Board? There are a lot of questions and a lot of publicity. It’s a global story, and I just believe it would behoove all of us to get a handle on what just happened.”
The National Indian Gaming Commission (NIGC) has chimed in on the events, issuing a thinly veiled critique of the cybersecurity safeguards in place at both operators. The NIGC has championed its reliance on superior technology for security at tribal-owned properties, including at New York casinos.
“Cyber related attacks impact organizations, big and small, have increased in recent years, and are not going away,” a statement from the NIGC read. “To significantly reduce risk to IT systems, it is prudent for organizations to employ a layered, redundant approach to cybersecurity.”
The NIGC, a federal regulatory agency, said it utilizes a “a progression of layered defensive mechanisms to safeguard data, information, and information systems,” according to PlayNY. The NIGC calls it a “Defense in Depth” method, comparing it to security measures used in medieval castles.
