Wynn Resorts is the latest Las Vegas casino operator to be plagued by a cyberattack – or “cyber incident”, as termed in Nevada’s recently overhauled regulations – although the company says the affected files were deleted by the hacker.
The incident, which was reportedly carried out by a cybercrime group called ShinyHunters, involved roughly 800,000 records that included sensitive employee information.
Wynn confirmed to iGB that this was its first attack following the new protocols. The Nevada Gaming Control Board declined to confirm whether this was the first incident reported under the new regime.
According to The Register, the hackers claimed the attack on 20 February and set a $1.5 million ransom deadline of this Monday. Wynn acknowledged the attack in a statement on Tuesday, although it did not say if it paid the ransom.
“We have learned that an unauthorised third party acquired certain employee data,” the company said. “Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts.”
But that third party “stated that the stolen data has been deleted”, Wynn said, and the operator has “not seen any evidence that the data has been published or otherwise misused”.
Cybersecurity has been a sore subject for Las Vegas operators, as Caesars, MGM and Boyd also reported incidents in the last three years. State regulators this year approved a series of amendments to cybersecurity reporting rules aimed at ensuring transparency from licensees. The amendments emphasised quicker incident reporting requirements, although industry representatives cautioned that it is becoming increasingly difficult to assess the growing number of threats they face.
Cyber incident spurs two Wynn lawsuits
As a result of the incident, the company is facing two federal lawsuits. The first was filed by Richard Reed, a California resident and Wynn customer, seeking class-action status over allegations of negligent information handling. Reportedly, only employee data was affected, not that of customers.
Reed’s lawsuit was followed on Tuesday by one filed by former Wynn employee Drake Maynard. Maynard also seeks class-action status, but for employees impacted by the company’s lack of “adequate data security measures”.
The suit does not set a specific figure for damages but says the amount in question “exceeds $5 million”. Both Maynard and Reed filed suit in US District Court in Las Vegas. Wynn did not comment on the suits but confirmed it is offering credit and identity theft services to employees.
“While no company can ever eliminate the risk of a cyberattack, we are taking appropriate steps and working with industry-leading third-party IT advisors to strengthen our systems to protect against future incidents,” Wynn said.
Wynn has been wary of potential attacks for years. In one example, the company was forthcoming in disclosing potential cyber risks in its 2024 annual report filed with the Securities and Exchange Commission.
“Despite the security measures we currently have in place, our facilities and systems and those of our third-party information system service providers may be vulnerable to security breaches, acts of vandalism, phishing attacks, computer viruses, worms, ransomware, malicious software programmes, misplaced or lost data, programming or human errors and other events,” Wynn told the SEC.
Las Vegas casinos targets for crime
The casino industry, especially in Las Vegas, has become a hotspot for cyber crime. According to a UNLV study last year, there were more than 50 confirmed cyber incidents involving Nevada gaming companies from 2007-2023, with most coming in the last decade.
“Casinos are opportunistic targets because they have an extensive array of cyber entry points, have lots of money, and the public outcry is less conspicuous when they are attacked. As much of the gaming industry depends on old, antiquated technology, it is only a matter of time until bad actors expose weaknesses and vulnerabilities,” researchers wrote.
At an NGCB workshop in December, Chair Mike Dreitzer said the board felt that a “misalignment” had emerged between the old rules and what regulators deemed to be “best practice”.
Under the old rules, licensees were given 72 hours to notify the board of an incident. The new rules, finalised in January, require licensees to notify regulators within 24 hours “after activating the response procedures set forth in its cybersecurity incident response plan”. The board said these changes were necessary to facilitate better communication, even if it increases the number of false alarms and non-issues.
“There are a number of incidents that happen on a daily basis that we are investigating that never rise to the level of a material breach, which we could end up having to report by just giving the phone call,” Erik Hanson, information security officer for Affinity Gaming, said at the December workshop.
MGM, Caesars attacks among biggest in Las Vegas history
Las Vegas’ concerns about cyber crime culminated in two colossal 2023 attacks on MGM Resorts and Caesars Entertainment. Those attacks were widely attributed to the “Scattered Spider” hacker group, although they were separate.
Both companies experienced significant disruptions, which resulted in heavy losses and national media attention. Caesars confirmed that it paid a $15 million ransom to its attackers. While MGM did not pay a ransom, its incident reportedly cost the company approximately $100 million when its systems were offline for more than a week.
Last September, the Las Vegas Metropolitan Police Department announced that a teenager was taken into custody in connection to the attacks on charges of identity theft, extortion and unlawful acts regarding computers. In 2024, another teenager allegedly connected to the attacks was arrested in the small English town of Walsall. MGM assisted the UK investigation and released a statement afterwards.
“We’re proud to have assisted law enforcement in locating and arresting one of the alleged criminals responsible for the cyberattack against MGM Resorts and many others,” MGM said at the time. “We know first-hand the damage these criminals can do and the importance of working with law enforcement to fight back.
“By voluntarily shutting down our systems, refusing to pay a ransom and working with law enforcement on their investigation and response, the message to criminals was clear: it’s not worth it.”
Jess Marquez
Jess has covered the global gaming industry since 2022. A native of Reno, Nevada, he’d like to note that it’s Ne-va-da, not Ne-VAH-da.
Original article: https://igamingbusiness.com/casino/wynn-cyberattack-new-nevada-casino-regulations/
