The driver’s license and Social Security numbers “for a significant number of members” of the Caesars Rewards program were copied by an “unauthorized actor,” Caesars Entertainment said in a report to the Securities and Exchange Commission released Thursday.
“We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor,” Caesars said in the report. “We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.”
The company said its investigation began on Sept. 7.
On Wednesday, Bloomberg reported that Caesars paid millions of dollars in ransom after being cyberattacked by a group known as Scattered Spider or UNC 3944. The report said Caesars would soon issue a regulatory filing addressing the incident.
Thursday’s filing did not confirm the report, but did make mention of the costs associated with the attack.
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” the company said in the filing. “The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”
It’s unclear what cybersecurity insurance Caesars and MGM Resorts International, hit with its own cybersecurity incident on Sunday, may have and what it would cover.
Alex Hamerstone, advisory solutions director for information security consultancy firm TrustedSec, said cybersecurity insurance has been around for a long time and policies can run the gamut. Some will include coverage for ransomware and services that help negotiate with the attackers.
But as cyberattacks get more sophisticated the field may change. Some hackers, once in a company’s network, will look for the insurance policy then demand that amount.
“Companies have tried to offload or have offloaded risks by buying insurance for a long time, and that’s becoming much more difficult now,” Hamerstone said. “Cyber-insurers are raising rates, raising the deductibles and retention and having smaller recovery just because these incidents are so common.”
Caesars said it took steps to “ensure that the stolen data is deleted by the unauthorized actor,” but it couldn’t guarantee the result and will continue monitoring the web for leaked data. It’s offering credit monitoring and identity theft protection services to all loyalty program members. To sign up for these services, members may call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.