Caesars acknowledges it was victim of a cyberattack, says operations were unaffected
Caesars Entertainment said Thursday it was the victim of a cyberattack, but didn’t confirm media reports from anonymous sources that it made a ransom payment to the unknown hackers who stole data associated with the company’s customer loyalty program.
In an 8K filing with the Securities and Exchange Commission, the company said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
Caesars said its nationwide network connecting 57 casino resorts in 18 states and its online and mobile gaming applications were not disrupted.
In the filing, Caesars said it didn’t believe the incident would have a material effect on the company’s financial condition.
The announcement comes four days after MGM Resorts said a cyberattack caused the company’s website to go offline and affected the gaming and non-gaming sides of MGM’s 11 Strip properties and operations in eight states. The attack on MGM affected the ability of customers to make or access their hotel reservations on the company’s website, disabled digital entry to hotel rooms and shut off the use of credit cards and casino management systems that oversee slot machines and cashless gaming.
MGM and Caesars are the Strip’s two largest casino operators, with a combined 60,000 hotel rooms.
On Wednesday, the Wall Street Journal and Bloomberg News, citing anonymous sources, reported Caesars paid roughly half of a $30 million ransom that hackers demanded after the cyberattack.
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” Caesars said in the SEC filing, adding that the full scope of the company’s cost for thwarting the attack was unclear. The company said its investigation into the hacking began on Sept. 7.
Caesars said the loyalty program database included driver’s license numbers and/or Social Security numbers “for a significant number of members.” The company said it brought in cybersecurity firms to determine the extent of the cyberattack and it had “no evidence to date” that passwords, PIN numbers, bank account information or payment card information was acquired in the hack.
“While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents,” Caesars wrote in the filing.
On Wednesday, Gaming Control Board Chairman Kirk Hendrick said the agency and Gov. Joe Lombardo have been monitoring the cybersecurity incident involving MGM and “are in communication with company executives.” He declined to comment on Caesars.
In a research note to investors Thursday following the Caesars filing, Jefferies Gaming analyst David Katz wrote that the cyberattacks on the two casino operators “should be taken as one-time, largely insurable events.”
Katz suggested that companies shouldn’t see any long-lasting effects on business.
However, he said MGM Resorts faces a greater “material impact” and said business could see a 10 percent to 20 percent decline as long as the current operating conditions continue.
Updated at 9:28 a.m. on 9/14.2023 with an analyst's comments.