Cybersecurity experts raise alarm on unprotected Internet-connected devices in casino

Casinos have been for years now aiming at tackling cybersecurity breaches, with an eye on any devices that may grant access to corporate systems, even through CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby.

"The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."

Robert Hannigan, who ran the British government's digital-spying agency, Government Communications Headquarters, from 2014 to 2017, appeared alongside Eagan on the panel and agreed that hackers' targeting of internet-of-things devices was a growing problem for companies.

"With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that's going to be an increasing problem," Hannigan said. "I saw a bank that had been hacked through its CCTV cameras, because these devices are bought purely on cost."

He called for regulation to mandate safety standards.

"It's probably one area where there'll likely need to be regulation for minimum security standards, because the market isn't going to correct itself," he said. "The problem is these devices still work — the fish tank or the CCTV camera still work."