National Indian Gaming Commission Critical Of Commercial Casinos For Security Issues

Written By Dan Holmes on September 25, 2023
logo of national indian gaming commission, which boasts about its cybersecurity features in the wake of attacks at MGM and Caesars

In a thinly veiled critique of shortcomings of MGM and Caesars following cyber attacks earlier this month, the National Indian Gaming Commission championed its reliance on superior technology for security at tribal-owned properties, including at New York casinos.

“Cyber related attacks impact organizations, big and small, have increased in recent years, and are not going away,” a statement from the NIGC read. “To significantly reduce risk to IT systems, it is prudent for organizations to employ a layered, redundant approach to cybersecurity.”

The NIGC, a federal regulatory body based in Washington DC, stated that it utilizes a “a progression of layered defensive mechanisms to safeguard data, information, and information systems.” The NIGC calls it a “Defense in Depth” method, comparing it to security measures used in medieval castles.

There are seven tribal casinos in New York, headlined by Turning Stone Casino Resort in Verona and Seneca Niagara Resort & Casino in Niagara.

Tribal casinos have not suffered same fate at MGM, Caesars

Both Caesars and MGM resorts and casinos were attacked last month by hackers who breached many of their systems and crippled several activities, rendering the facilities at least partially inoperable.

At least one MGM-owned casino in New York was impacted. A criminal group calling itself “Scattered Spider” claimed responsibility. Allegedly, Caesars paid a ransom in the area of several millions of dollars to gain access to its systems.

No such high-profile hack has occurred at casinos owned and operated by native tribes. According to the NIGC, that’s due to its security strategy that features “three critical control layers: physical controls, technical controls, and administrative controls.”

Hackers apparently used phone calls to attack MGM, Caesars

The release from the NIGC goes into detail on the security strategies used by its member casinos to protect against hostile attacks. It mentions the use of “antivirus software, software or hardware firewalls, disk encryption, authentication controls, and Multi-Factor Authentication.”

However, in both the Caesars and MGM attacks, Scattered Spider apparently tricked employees at the IT Help Desk and then employed VoIP to impersonate support staff and steal passwords.

This type of insidious method isn’t necessarily protected by software, but rather policy.

NIGC continues to warn members of fraud schemes

Earlier this year, the NIGC issued a statement warning its members of fraud schemes aimed at casinos using impersonation and VoIP methods.

One casino in Nevada saw close to $500,000 in cash stolen from the cash cage during such an attack. A casino employee at the Four Winds Casino Hartford (Michigan), owned by the Pokagon Band of Potawatomi Indians, was duped by a phone call into taking $700,000 in cash off the casino property and delivering it to an unknown person. That employee faces felony charges and awaits trial.

The NIGC admits that its “Defense in Depth” strategy is not infallible:

“The defense in depth security architecture can help mitigate, but not eliminate cyber risk.”

Photo by PlayNY
Dan Holmes Avatar
Written by
Dan Holmes

Dan Holmes is a freelance writer for PlayNY. An author of three books about sports, he previously worked for the National Baseball Hall of Fame and Major League Baseball. Dan enjoys writing, running and lemon bars. He lives near Lake Michigan with his daughters and usually has an orange cream soda nearby.

View all posts by Dan Holmes
Privacy Policy