Amid the excitement of the Cosmopolitan opening and the end-of-year eagerness to get out of the office, an industry letter circulated by the Nevada Gaming Control Board attracted far less attention than it should have. Reading it is a reminder of just how reliant on player databases the industry has become.
Casinos have numerous caches of personal information about their customers. That’s the whole purpose of player loyalty clubs. The hotel and restaurant elements of casinos maintain credit-card data, and casino credit departments may have banking and other financial information.
According to the letter from then-Gaming Control Board member Randall Sayre on Dec. 15, the board has investigated “numerous incidents” where databases containing personal and/or financial information had been compromised. Further, the board acknowledged that as the amount of information in those databases increased, they would become an even more inviting target.
While most players wouldn’t be happy if the world discovered just how much time they spent on Kitty Glitter, there is much more at stake: The personal and financial information sitting in casino databases represents a potential gold mine for cyber criminals.
The letter was vague about the incidents, but at least two recent Las Vegas database breaches are public record. In July, a hacker accessed attendee information for Cisco Live 2010, a computer industry training event at Mandalay Bay. Although it wasn’t connected to Mandalay Bay’s own databases, this high-profile case—cyber crime directed against a networking conference—illustrates the tenuous safety of information.
Another breach struck at a hospitality operation, though one that doesn’t feature gaming and isn’t under the board’s jurisdiction. From June to October, credit- and debit-card information was stolen from the Desert Rose Resort via a malicious software infection.
These two attacks illustrate the database vulnerabilities Las Vegas resorts face. Cyber security expert Slavik Markovich, chief technology officer of Sentrigo, a database security provider, points out three main types of threats that online databases in several industries, including gaming, have recently seen.
First, he says, are external targeted attacks. Like the Cisco Live 2010 or Desert Rose incidents, these involve a hacker choosing a target and then penetrating it—what the public generally thinks of when it hears the term “cyber crime.” Second are “insider leaks,” which have gained prominence in recent weeks due to the Wikilieaks breach; these happen when someone with access shares information without authorization.
“We’d all like to trust our employees,” Markovich says. “But it only takes one rogue employee or contractor to cause significant damage.” He points out that there are often dozens of administrators and developers with the capability to make a copy undetected or leave a back door that gives them unfettered access.
The third type, which are becoming more common, are automated attacks, which see hackers using “sophisticated tools” that perform random testing against sites, searching for weaknesses.
Markovich says that many times, databases are compromised because of failures to properly secure them.
“Most organizations know where their primary databases are, but in almost every case where we deploy our software, the customer is shocked when our scan finds additional copies [development or test servers, for example] and databases that they had no idea about.”
Administrators, even experienced ones, can make it easier for hackers to get in by either misconfiguring their databases or not keeping up with vendor patches.
“Database vendors frequently issue updates to address discovered vulnerabilities,” Markovich says. “But most organizations cannot install these immediately as they need to test applications for compatibility and schedule downtime to apply the patch. Until the patch is applied there is significant risk as hackers know about the weakness and will attempt to exploit it.”
Markovich believes that a combination of technology and process change can mitigate the risks presented by databases. These include tools for helping companies keep track of just where their sensitive information is, and software that helps them better monitor how these databases are accessed.
With their databases such potentially lucrative targets, it’s certain that keeping them secure is vital for casinos.