In a thinly veiled critique of shortcomings of MGM and Caesars following cyber attacks earlier this month, the National Indian Gaming Commission championed its reliance on superior technology for security at tribal-owned properties, including at New York casinos.
“Cyber related attacks impact organizations, big and small, have increased in recent years, and are not going away,” a statement from the NIGC read. “To significantly reduce risk to IT systems, it is prudent for organizations to employ a layered, redundant approach to cybersecurity.”
The NIGC, a federal regulatory body based in Washington DC, stated that it utilizes a “a progression of layered defensive mechanisms to safeguard data, information, and information systems.” The NIGC calls it a “Defense in Depth” method, comparing it to security measures used in medieval castles.
Tribal casinos have not suffered same fate at MGM, Caesars
Both Caesars and MGM resorts and casinos were attacked last month by hackers who breached many of their systems and crippled several activities, rendering the facilities at least partially inoperable.
At least one MGM-owned casino in New York was impacted. A criminal group calling itself “Scattered Spider” claimed responsibility. Allegedly, Caesars paid a ransom in the area of several millions of dollars to gain access to its systems.
No such high-profile hack has occurred at casinos owned and operated by native tribes. According to the NIGC, that’s due to its security strategy that features “three critical control layers: physical controls, technical controls, and administrative controls.”
Hackers apparently used phone calls to attack MGM, Caesars
The release from the NIGC goes into detail on the security strategies used by its member casinos to protect against hostile attacks. It mentions the use of “antivirus software, software or hardware firewalls, disk encryption, authentication controls, and Multi-Factor Authentication.”
However, in both the Caesars and MGM attacks, Scattered Spider apparently tricked employees at the IT Help Desk and then employed VoIP to impersonate support staff and steal passwords.
This type of insidious method isn’t necessarily protected by software, but rather policy.
NIGC continues to warn members of fraud schemes
Earlier this year, the NIGC issued a statement warning its members of fraud schemes aimed at casinos using impersonation and VoIP methods.
One casino in Nevada saw close to $500,000 in cash stolen from the cash cage during such an attack. A casino employee at the Four Winds Casino Hartford (Michigan), owned by the Pokagon Band of Potawatomi Indians, was duped by a phone call into taking $700,000 in cash off the casino property and delivering it to an unknown person. That employee faces felony charges and awaits trial.
The NIGC admits that its “Defense in Depth” strategy is not infallible:
“The defense in depth security architecture can help mitigate, but not eliminate cyber risk.”