Casino giant Caesars has admitted that more than 41,000 of its patrons had their personal information stolen in a major September data breach that pre-dated that month's blockbuster MGM hack.
While the total number of victims is still be counted, Caesars has now said that 41,397 folks from the state of Maine had their details pilfered by the cybercrime gang responsible for the ransomware attack. A group called Scattered Spider has been judged responsible for the breach.
Shedding further light on the incident, the chain says that its loyalty scheme specifically was hacked and that the pilfered personal data includes the names, driver's license and ID card details of customers from The Pine Tree State. However, it insists that financial and payment details were not accessed in the attack, even though it is now offering those affected two-year's worth of cybersecurity and identity fraud insurance on the house
Caesars Still Counting Total Number of Hack Victims
Caesars made the admission in a recent filing with the Maine Attorney General's office, where it says that the final number of hack victims is still to be determined.
However, in good news for anyone who visited Caesars from Maine last month, Caesars adds in an attached PDF sample letter sent out to affected residents that it had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this Tech.co Black Friday offer.
This could be translated as Caesars quietly copping to paying out the ransom demand of the cybercrime gang behind the attack. According to CNBC, the casino chain negotiated the figure down to $15 million from an initial price of $30 million.
Caesars Allegedly Paid Demand Days Before MGM Breach
What's interesting here is the timeframe Caesars allegedly paid out the ransom demand. It was apparently only a matter of days after the chain apparently paid up that the same ransomware gang, Scattered Spider (also known as UNC3944 or Roasted 0ktapus), hacked MGM in another major breach of Vegas heavyweights.
This highlight something that virtually all ransomware statistics confirm: companies should never pay ransom demands to cybercriminals, as it only encourages them to execute further attacks on similar targets.
Explaining exactly what happened in the breach, Caesars notes that it was the “victim of a social engineering attack on an outsourced IT support vendor that resulted in unauthorized access (on August 18, 2023) to Caesars' network and the exfiltration of data (beginning on or about August 23, 2023).”
Scattered Spider Ransomware Hits “Hundreds” of Companies
The casino chain adds in its letter to affected Mainers that it is providing them with two years of identity theft protection through a third-party provider, IDX. The policy includes “credit and dark web monitoring to detect any misuse of your information” as well as coverage of up to $1 million should anyone fall victim to identity theft.
While Caesars and MGM are two high-profile victims claimed recently by Scattered Spider, the actual number of organizations affected by its latest ransomware campaign could number in the hundreds.