A data breach at Caesars Entertainment Inc. has compromised personal information belonging to a “significant” number of customers, the company disclosed today.

Reno, Nevada-based Caesars is a major hotel and casino operator. It runs more than 50 properties worldwide and generated $10.8 billion in net revenue during its most recent fiscal year. The company disclosed the cyberattack in a regulatory filing published today.

According to the filing, Caesars detected the breach earlier this month after spotting suspicious activity in its internal network. An investigation determined that hackers “acquired a copy of, among other data, our loyalty program database,” the company detailed.

Caesars disclosed last April that its loyalty program had more than 65 million members. According to the company, the breach comprised information belonging to a “significant number” of loyalty program members. The stolen data included driver’s license numbers and Social Security numbers.

Caesars is currently investigating whether the hackers may have stolen additional information. Currently, the company stated in its filing, there’s no indication that loyalty members’ account information, passwords or payment card details were accessed. Caesars added that the breach didn’t affect customer-facing operations across its properties and gaming applications. 

The company has hired multiple cybersecurity firms to help it respond to the incident and notified authorities. According to today’s filing, members of Caesars’ loyalty program will receive access to credit monitoring and identity theft protection services. The company said that it plans to notify customers whose information was stolen in the breach. 

Word of the cyberattack first emerged late Wednesday, when sources told Bloomberg that hackers had gained access to Caesars’ technology infrastructure. They said that the cyberattack began in mid-August.

Separately, the Wall Street Journal reported that the hackers behind the breach had demanded $30 million from Caesars to not leak the compromised data. The company reportedly paid “about half” the sum.

Caesars shared a number of additional details about the breach in its regulatory filing. The company stated that it was a social engineering attack, a type of cyberattack in which hackers trick employees into giving them access to the corporate network. The social engineering attack didn’t target Caesars itself but rather an “outsourced IT support vendor.”

“With the update that Caesars was also hit with an incident, this one confirmed to have been not only a social engineering attack, but also a supply chain attack, it’s a sobering reminder that security culture must be top of mind for every business,” Ian McShane, the vice president of strategy at cybersecurity provider Arctic Wolf Networks Inc., told SiliconANGLE.

The disclosure of the breach comes a few days after MGM Resorts International, another hotel and casino operator, reportedly shut down parts of its network because of a cyberattack. The breach is said to have been carried out by a hacking group that researchers refer to as Scattered Spider. Google LLC’s Mandiant unit estimates that the group has targeted more than 100 organizations in the past two years. 

The breach reportedly caused technical issues that affected ATMs, digital key cards and electronic payment systems at MGM properties. As of Wednesday, at least some of the affected systems continued to experience malfunctions.

“Current speculation in the industry is that the MGM incident was the result of a ‘simple’ social engineering scheme, involving impersonated employees,” McShane said. “It’s important to note that social engineering, if it is indeed the root of this incident, can happen to any organization, no matter how sophisticated.” 

Image: Wikimedia