Note to readers: Posting has been light as I’ve been travelling quite a bit.
***
Caesars, the casino giant, is famous in the data science community for being one of the foremost practitioners of the trade (link). The more advanced are your capabilities, the more data the business collects and accumulates, the bigger the target for hackers.
The fact that Caesars has become the latest victim of ransomware isn’t that much of a surprise. In a regulatory filing, Caesars disclosed that its loyalty membership database has been stolen. It is reported that it paid a $15 million ransom to the hackers, presumably to "buy back" its own data - unlike MGM, another casino giant, that, as of this writing, hasn't paid out a ransom but has found its operations interrupted (link).
Bad players are quick to adopt the latest technical innovations. According to some reports, the ransom was paid in bitcoins; that technology is the currency of choice of hackers, given that it is not controlled by a government.
Since the core Internet infrastructure was initially designed with zero security concerns, and cybersecurity consists of layers of band-aids, Caesars is correct that no one is immune to such attacks. U.S. businesses face mild consequences for security breaches – most likely, a small fine will be levied later. The required disclosure of the breach, and the cost of mitigation (such as hiring the PR firm and IT consultants) will be the main material consequences.
The company is following a tried-and-true playbook: they will send the victims of the data theft a notice, telling them they are eligible to enroll in a security monitoring subscription run by a third-party company.
That is closing the door after the horse has left the barn. The horse has eloped – permanently, I must add. Caesars said driver license numbers and social security numbers were stolen. For most Americans, these are their most personal identifiers, and they are primarily immutable, thus bad players only need to steal them once. Enrolling in a credit monitoring service does absolutely nothing to reverse the potential damage from this theft.
In fact, the linkage to credit monitoring points to how this data theft is expected to hurt Caesars’s customers. The bad players will sell the database in some gray market, and another set of bad players will use the data to impersonate the victims in order to steal from them. By the time something shows up in a credit report, it will be after the steal.
Obviously, monitoring credit does not prevent future cyberattacks.
And let it be said, this supposed compensation for data theft doubles as a “free trial” subscription for said third-party credit monitoring service. It’s a form of free marketing. From past notices I have received, I am not given a choice of selecting a service; I am directed to enroll in a specific service run by a specific credit agency.
***
We learn quite a bit from the limited disclosure by Caesars.
Personally identifiable data are always collected and stored by these businesses. They are stored in formats that are easily unscrambled. This last bit is a feature, not a bug. How else do you think they can “personalize” their product or service to you?
We only learn the most basic outline of the cyberattack since businesses only report on what the regulations require them to. Data other than social security numbers and driver license numbers were also stolen. If I had to guess, a lot of data related to customers’ activities at the casinos were stolen, since this is their loyalty database.
It’s even possible that the behavioral profiles created by data scientists from the data trove are also taken. Those are harder to monetize if the documentation of the underlying statistical models wasn’t found in the loot. (Nevertheless, if the bad players wanted to, they could reverse engineer the models to a good degree, or even build their own models.)
According to prior reports lauding their analytical capabilities, Caesars was extremely successful in pushing its loyalty program. Over 80 percent of customers opted into it for the benefits they confer (and that was a while ago). They famously monitor every move of each customer – initially for identifying fraudsters, but eventually, the same data streams have been harnessed to “personalize” customer experience while they are at a Caesars facility.
The method by which hackers gained access to Caesars’s systems is known euphemistically as “social engineering”. Let’s call the first-line victim of the cyberattack Employee X. Someone impersonated as an associate of Employee X, and was able then to capture Employee X’s credentials for assessing Caesars’s systems. This is a vicious cycle: the impersonation may have been facilitated by previous cyberattacks for which the associate’s personal information was stolen; otherwise, it is enabled by social networks – just think about how easy it is to know the names of many people’s colleagues, family members, and friends by browsing their publicly available information on Facebook, Linkedin, Instagram, etc.
[Ed: According to the report previously linked, the Caesars cyberattack was enabled by contact information lifted from a Linkedin profile. It’s a topic for a different post but social networks like LInkedin have tremendous incentives to constantly encouraging users to accept invitations from random people, which enlarges the “social graph”; all bad players needed to do is to create profiles of fake people.]
The funniest line in the regulatory disclosure is “we are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.” If someone uses your social security number to access your bank account and steal your money, it is simply impossible to trace it back to Caesars’s data breach. The perpetrator could have taken that number in any number of sources, including other data breaches.
Thank you for describing 'social engineering'. Fake email or texts, without phishing links are growing in use.
Posted by: Georgette | 10/27/2023 at 08:30 PM