By Christine Duhaime, B.A., J.D., Gaming Attorney & Certified Anti-Money Laundering Specialist
Casino Patron Data Allegedly Stolen in Cyber-Attack
Several weeks after reporting that its websites were attacked by political hackers, the Las Vegas Sands Corp. reported that the personal information of some gamblers and hotel guests (and possibly some employees) was stolen in the attack. The cyber-attack was allegedly motivated by comments CEO Sheldon Adelson made about Iran. The cyber-attack affected Las Vegas Sands Corp. corporate website and several of its casinos. The most high profile (and material breaches if any) appear to those from the casinos in Macau, Singapore and Las Vegas. It is unknown whether the personal information of high rollers and prominent persons who frequent high-end casinos, their nightclubs and casino hotels was taken.
It is public knowledge that casinos have significantly more personal information collected, retained and stored on gamblers, night club and hotel guests than most businesses because of the nature of the services and the heightened financial crime risks in which casinos operate, including client ID and financial transaction records, credit reports, bank records, Bank Secrecy Act reports, problem gambling reports and video surveillance records associated with gamblers. Some casino data is extremely sensitive. It is the probably the one sector, more than any other, where customer, operational and financial privacy is vitally important and maintaining its secrecy is essential to the integrity of gaming.
On its website, the Las Vegas Sands Corp. seems to confirm that credit and financial information provided by patrons was taken by the hackers. There is even a YouTube page that shows the hacking results and it contains the Social Security Numbers, emails and names of hundreds of people purportedly from several casino locations.
The FBI, US Secret Service and gambling regulators in several jurisdictions are no doubt involved in the investigation into the cyber-attack. Casino operators can expect this incident to result in significant changes to cyber-security protection in the gaming sector.
The reason the nature of the personal information and the extent of video surveillance collected and retained on casino patrons (including those that visit casino hotels, lobbies and night clubs) is public knowledge is, in part, from several decisions in Canada and elsewhere before, among others, privacy tribunals which disclosed casino operational information.