In an exclusive interview with Gaming America, Tony Anscombe told us he doesn't think Las Vegas was going through anything unusual with the September cyberattacks disclosed by Sin City’s two largest casino operators.
MGM disclosed in an October US Securities and Exchange Commission filing that it lost around $100m as a result of a criminal cybersecurity attack, which started around September 11 and resulted in the theft of some customers’ Social Security numbers.
Caesars was hit around the same time by the same “threat groups,” who also stole some customers’ driver license information and Social Security numbers.
The hacks received heavy media attention, but Anscombe believes there’s nothing special about Las Vegas casinos or casinos in general that make them more vulnerable to such crimes. Rather, he said, every major business faces such a risk these days.
Vegas casinos just happen to be more visible, so their attacks garner more attention, he said.
Anscombe did acknowledge that Sin City casino databases might contain information that hackers find more appealing because that information concerns individuals’ behavior in Las Vegas, which is where people tend to cut loose outside of their norms.
“That does make Vegas data a specific target,” Anscombe conceded.
But he also added that corporations as sophisticated as MGM and Caesars are going to have better security – that is, better technology and software – than, say, the school district in Las Vegas, which also was the victim of a significant hack in October 2023.
Indeed, Anscombe said both MGM and Caesars became victims of cybersecurity attacks not because they had some fault in their technology, but because the hackers were able to manipulate real people working for the companies to give out critical information that gave the hackers access to their systems.
This is known as a “social engineering attack,” and Anscombe said the way to prevent them is for corporations like MGM and Caesars to drill into their employees’ heads to be cautious about giving out critical pieces of information.
Anscombe said companies often require their employees to attend cybersecurity training once a year. He said he thought companies should do that more often to really drive home the point.
“Companies need to continually evolve their cybersecurity,” he said.
MGM reportedly refused to pay the hackers’ ransom demands. Caesars reportedly paid.
Anscombe said giving into ransom demands encourages more attacks – but he said one of the biggest drivers of this behavior is insurance companies that offer cyber risk insurance. These policies, he said, will pay hackers’ ransoms, which Anscombe doesn’t agree with.
But also acknowledged that insurance companies only issue these policies once companies have beefed up their cybersecurity technology. So, he conceded that while these policies can encourage the wrong behavior, they’re also encouraging the right behavior as well.
All of this, however, is not unique to the world of gaming. Businesses everywhere, he said need to invest in “continual education of employees at all levels,” Anscombe said.
Anscombe also spoke to Gambling Insider in November, declaring that there is "honesty among thieves."
