Since the onset of Covid, operators from across the industry have battled account hacks of varying severity. Last November, leading bookmaker DraftKings suffered one of the most noteworthy attacks, which affected almost 68,000 accounts. Some patrons lost thousands, but the company made good on the losses. Still, such attacks have not gone unnoticed by regulators.
“The New Jersey Division of Gaming Enforcement has cybersecurity-specific mandates for online gaming licensees and operators to ensure they take precautions to protect themselves and their patrons from cyber criminals,” said Dan Prochilo, public information officer for the New Jersey Attorney General’s Office.
In New Jersey, one key part of these steps is that operators must immediately notify the state’s Division of Gaming Enforcement (DGE) when a cyber-threat emerges or a cyberattack occurs.
“In the wake of such attacks, the DGE requires a full report from the licensee with complete details,” Prochilo said. “The DGE notifies other susceptible licensees and coordinates responses with other law enforcement agencies as needed.”
The DraftKings attack led to a loss of $300,000 in funds. A lawyer for the company referred to the infraction as a credential stuffing attack, in which the hackers steal passwords from other websites in an effort to access a third-party system. Oftentimes, users rely on similar passwords for differing websites, and bad actors often use this to their advantage.
“Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password from a non-DraftKings source and then used those credentials to access your DraftKings account,” the sportsbook said in its notice to affected users.
Hackers may have gained access to a laundry list of data, names, addresses, phone numbers, but when it comes to funds, they only got the last four digits of the credit or debit card. DraftKings’ investigation did not discover any evidence that the hackers accessed Social Security numbers, driver’s license numbers or financial account numbers.
“In compliance with applicable state laws, DraftKings provided formal notice of the credential stuffing attacks to certain customers in jurisdictions where required to do so,” reads an official DraftKings statement obtained by Legal Sports Report.
A total of 32 hacked DraftKings accounts bore Connecticut addresses, totaling $18,758 in fraudulent withdrawals, Kaitlyn Krasselt, a spokesperson for the Connecticut Department of Consumer Protection, told Legal Sports Report.
Five customers reached out to the New York State Gaming Commission about the hacks, Communications Director Brad Maione said. In Maine, 125 customers were impacted, even though sports betting is not yet in operation.
“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account,” DraftKings said. “Therefore, the bad actors were not able to view this information.”
DraftKings aside, the DGE mandates that annual cybersecurity assessments be performed for all brick-and-mortar and online casinos and sportsbooks, Prochilo said. “These assessments are performed by third-parties selected by the licensee, who must also be a DGE-registered vendor. The division sets minimum standards for these annual assessments and each casino must address any cybersecurity issues found during the assessment.”
The Pennsylvania Gaming Control Board (PGCB) also requires annual security assessments performed by independent third-party cybersecurity companies which identifies any potential vulnerabilities and weaknesses the operator’s platform may have.
“Operators are required to report the results of the security assessment along with a detailed remediation plan that must address any considerable risks identified as part of the security assessment,” said PGCB spokesman, Doug Harbach.
As of June 30, 2022, DGE implemented a multi-factor authentication standard for customer logins, requiring them to provide additional verifications to gain access to an account, Prochilo said. The two-step, becoming more and more a standard in the gaming and other industries, helps protect customers from an account takeover.
“Plus the DGE requires licensees to develop their own cybersecurity procedures,” he said. “Each casino is required to have an Information Security Officer (ISO) for all aspects of information security, including the cybersecurity policies and procedures of their casino. The ISO is responsible for the security of their brick-and-mortar casino as well as the security of their associated Internet gaming platform.”
With all the cyber roadblocks, has it helped?
Online gaming operators have notified the DGE of distributed denial-of-service attacks, which slow or stop websites by flooding them with web traffic, and also from credential-stuffing attacks.
“Both private and public resources have immediately responded to combat and assist with the recovery from those incidents,” Prochilo said.
DraftKings, while based out of Boston, has not operated a sportsbook yet in the Commonwealth, which will debut its three brick-and-mortar casino sportsbooks on January 31. Online operators will launch in early March. On January 19, the Massachusetts Gaming Commission (MGC) approved DraftKings for a preliminary online license, making them eligible for a one year temp license while a full review is undertaken.
“Generally speaking, our licensees are required to inform the MGC of any issues that would be under our responsibilities as regulator. I suspect more discussion will come up over the next few weeks at our public meetings regarding cyber security ahead of online sports wagering launching in March,” said Thomas Mills, a spokesman for the MGC.