Not Ocean’s 14: Casinos are also an e-Target
Casinos are no different than an accounting firm, hospital, or manufacturer in at least one sense when cybersecurity is the common thread. These entities hold data that people want to steal. This data is then sold or otherwise leveraged for their own uses to generate revenue or simply sold. One industry not researched at length has been the casinos. These businesses tend to focus more on the physical security as the workers handle mass amounts of cash, the chips, and playing cards. Granted this is exceptionally important. Without a robust physical security program in place, the physical items of value would simply walk out. The risk of a physical theft is a completely viable area to secure, as much as possible. As part of the overall security program, data security also should be addressed and implemented. Although the risk of a physical theft is present, the data security risk is ever present. The person(s) do not have to be physically present on site to steal money or to sabotage the system. This attack may be exercised from virtually anywhere in the world with an adequate internet connection.
Attack
Casinos are just as likely as other entities to be a victim of a breach. This was the case with the Grey Eagle Casino in Calgary when their employee data was compromised. The entry point for the attack was a computer in the Human Resources office that had been compromised. The data and information stolen consisted of confidential letters, and files. These did have dozens of employee’s names and personal information. To authenticate this, the data was posted online from approximately 12 documents affected over 12 employees. Although the entry point was a Human Resources computer, the method utilized, by the attacker, was phishing attack. The form was a phishing email with a malicious link or the user ended up logging into a malicious website.
Although this compromise was embarrassing enough, this compromise could have been much worse. This incident was isolated with one system. In theory, it would have not been too far of a bridge for the attackers to branch out and infect other computers on the network or the servers. Other data could have been harvested. The casino could also have been a victim of widespread ransomware.
Remediation
This was a serious attack with serious consequences. To work towards this not occurring any time soon, the casino may implement employee training sessions. These would need to be regular and applicable. If videos were to be used, these would not consist of the same bland ones shown for the last ten years. This attack made it rather apparent that the email system’s security was rather out of date or just not functioning well. The filter for phishing, spam and other malware should red flag and quarantine these. To further decrease the opportunity for this to happen again, phishing campaigns should also be completed. With these in place, the user will increase their awareness in the last a bit, which in certain instances, all that is needed.
Resources
Globalnews.ca. (2017, January 27). Security experts call grey eagle casino security breach a wake up call. Retrieved from https://reportca.net/2017/01/security-experts-call-grey-eagle-casino-security-breach-a-wakeup-call/
Sosiak, M. (2017, January 25). Grey eagle casino employees information leaked in major privacy breach. Retrieved from http://www.newslocker.com/en-au/region/casino/grey-eagle-casino-employee-information-leaked-in-major-privacy-breach-globalnewsca/view/
Tighe, T. (2017, January 26). Security experts call grey eagle casino security breach a wake-up call. Retrieved from http://globalnews.ca/news/3208546/security-experts-call-grey-eagle-casino-security-breach-a-wake-up-call/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.