Caesars notifies Maine Attorney General's office of cyberattack, revealing impact on 41,397 residents

Casino giant Caesars Entertainment has officially informed the Maine Attorney General's office about the recent cyberattack it suffered, which has raised concerns over the security of customer data.

The notification, in compliance with Maine state law, discloses that a total of 41,397 Maine residents have been potentially affected by the breach, the Las Vegas Review-Journal reported. Interestingly, in Caesars' filing, the overall number of individuals impacted by the breach remains listed as "to be determined."

According to the notification, Caesars fell victim to a social engineering attack targeting an outsourced IT vendor. This led to unauthorized access to Caesars' network on August 18, 2023. Subsequently, data exfiltration, which began around August 23, 2023, was confirmed by Caesars on September 7, 2023. The compromised data included personal information belonging to state residents.

The notification specified that the perpetrators managed to acquire names and other personal identifiers, often in conjunction with either a driver's license number or a non-driver identification number.

Caesars made the notification to Maine authorities on the very same day it publicly disclosed the breach. This disclosure occurred in an update submitted to the Securities and Exchange Commission as an addition to a filing made on September 14, 2023.

“After detecting the suspicious activity, we quickly activated our incident response protocols and implemented a series of containment and remediation measures,” the company said in a filing.

“The company also launched an ongoing investigation, engaged leading cybersecurity firms to assist, and notified law enforcement and state gaming regulators. Once the incident was contained, we initiated a detailed review to identify any sensitive personal information contained in data acquired by the unauthorized actor as part of the incident.”

As a proactive measure, Caesars is urging its customers to vigilantly monitor their accounts for any signs of suspicious activity.

“While we do not have any specific reason to believe that you are at risk of identity theft or fraud as a result of this incident, it is always good practice to be vigilant by regularly reviewing your account statements and monitoring any available credit reports for suspicious activity,” the company said.

“We also generally encourage you to take care in identifying calls, emails or SMS texts that appear to be spam or fraudulent (phishing), and to avoid opening links or attachments sent from untrusted sources,” as per the filing.

The same group of hackers is believed to have attacked MGM Resorts International as well, causing a nine-day disruption across its properties in the United States. However, Caesars faced fewer public-facing issues, allegedly due to the payment of a multimillion-dollar ransomware demand. The Wall Street Journal reported that the company paid about half of a $30 million ransom demanded by the hackers.

Meanwhile, a 10th class-action lawsuit seeking damages from either MGM or Caesars was filed in U.S. District Court in Nevada last week. Earlier, Las Vegas law firms Stranch, Jennings & Garvey, PLLC and Kopelowitz Ostrow Ferguson Weiselberg Gilbert, and The O’Mara Law Firm, P.C., of Reno and Barnow and Associates, P.C., of Chicago had filed lawsuits in relation to the cyber attacks.