By Christine Duhaime, B.A., J.D., Gaming Attorney & Certified Anti-Money Laundering Specialist
Casino Patron Data Stolen in Cyber Attack
Several weeks after reporting that its websites were attacked by political hackers, the Las Vegas Sands Corp. reported that the personal information of some gamblers and hotel guests (and possibly some employees) was stolen in the attack. The cyberattack was motivated by comments CEO Sheldon Adelson made about Iran. The cyberattack affected Las Vegas Sands Corp. corporate website, and several of its casinos. The most high profile (and material breaches if any) are the casinos in Macau, Singapore and Las Vegas. It is an understatement to say that high rollers and prominent persons who frequent high-end casinos, their nightclubs and casino hotels will be unhappy if their personal information was taken. Worse so if the hackers use or disclose that personal information.
It is public knowledge that casinos have significantly more personal data collected, retained and stored on gamblers, night club and hotel guests than most businesses because of the nature of the services and the heightened financial crime risk in which casinos operate, including client ID and financial transaction records, credit reports, bank records, Bank Secrecy Act reports, problem gambling reports and video surveillance records associated with gamblers. Some casino data is extremely sensitive. It is the probably the one sector, more than any other, where customer, operational and financial privacy is vitally important and maintaining its secrecy is essential to the integrity of gaming.
On its website, the Las Vegas Sands Corp. confirmed that credit and financial information provided by patrons was taken by the hackers. There is a YouTube page showing the hacking results and it contains the Social Security Numbers, emails and names of hundreds of people purportedly from several casino locations.
The FBI, US Secret Service and gambling regulators in several jurisdictions are no doubt involved in the investigation into the cyberattack. Casino operators can expect this incident to result in significant changes to cybersecurity protection in the gaming sector.
The reason the nature of the personal information and the extent of video surveillance collected and retained on casino patrons (including those that visit casino hotels, lobbies and night clubs) is public knowledge is, in part, from several unfortunate decisions in Canada and elsewhere before privacy tribunals which disclosed casino operational information.