Case Study: Casino Operator Protects Against Threats of Retaliation and More

Challenge:

• Historic risk of disgruntled gamblers seeking retribution against casino operators following gaming losses.
• Execs receiving violent threats via email and SMS
• Culture of infosec leaders myopic about the role of EDP

Solution

• Privacy Bee for Business licensed for executives, board members, all workers with information systems access and 3rd-party partners with systems integrations
• Privacy Risk Assessment, Employee Risk Management and Vendor Risk Management scans performed and baseline risk profiles developed for all individuals and the organization at large
• DSAR process engaged to cleanse exposures identified from Data Brokers, People Search sites and other locations
• Leadership and middle management complete Privacy Bee University training for better insight into new attack surface

Results

• Employee risk scores driven to at or below 15%
• Organizational risk score below 15%
• Elimination of inbound threats to execs and others
• Risk of breach leading to ransomware greatly reduced
• Potential for costly mitigation and litigation drastically reduced
• Improved, data-driven evidence for GRC and investment interest

Customer: A Popular Casino & Hotel Operator with Properties in the US and Macau

Challenge:  For decades, the threat of retaliation against casinos by disgruntled gamers who’ve lost significant money has been an omnipresent concern.  The threat is not just hypothetical either.  In one notorious example, gambling addict John Birges Sr. built and deployed a powerful explosive device at Harvey’s Resort Casino and Hotel in Lake Tahoe, CA where he’d reportedly lost over $750,000.  First, Birges planted the bomb disguised as a photocopier.  He then alerted Harvey’s management that it would be detonated unless the casino operator paid a half million-dollar ransom to recompense him for his losses.  Ultimately, no ransom was paid, but the extortion demand allowed enough time for authorities to evacuate the property.  Though the hotel and casino were destroyed in a horrific blast, nobody, luckily, was injured or killed. 

Photo from FBI Archives

Though this example occurred back in 1980, in the time before the internet, the threats facing casino operators persist and have grown more sophisticated.  And today’s threat actors are all too willing and able to utilize cyber strategies to extort retribution for their gambling losses.  Some by gaining unauthorized access to information systems and wreaking havoc on operations like the September 2023 hack of MGM Grand that paralyzed websites and business systems, disrupted slot machines, locked thousands of guests out of their rooms and halted elevators in hotels.  Others by extorting millions, as Caesars Entertainment was forced to pay to hackers who used social engineering attacks on a third-party IT support vendor to deploy ransomware.   Casinos continue to be prime targets for bad actors.  And hackers targeting casinos are increasingly reliant on violent threats.

Casino executives now find themselves – specifically – in the cross hairs of threat actors.  Angry gamblers who lose their family fortunes are now able to use widely available, unsecured external data to locate and target executives for violent retribution.  Desperate people are capable of desperate acts and the lack of effective systems to protect EDP or “External Data Privacy” puts not only buildings, bank accounts and business reputations at risk.  It also exposes those in leadership roles to physical harm as anyone with an internet connection and an axe to grind can quite effortlessly gain access to sensitive data about the location of targets and their families.

This customer had been plagued by a series of threatening SMS and email messages directed at both casino executives and several croupiers working on the gaming floor of the casino.  These messages had been delivered directly to the personal devices of the targeted individuals and contained graphic descriptions of the harm and sexual violence the threat actor promised to deliver upon their targets.

Seeking to avoid the catastrophic consequences of a violent attack and the subsequent brand and financial damages that occur in the wake of such activities, this customer reached out to Privacy Bee for Business to address the EDP gaps in its existing and quite substantial cybersecurity program.     

The Solution: Privacy Bee began by proving to the CISO and CEO of this customer that their organization was exceedingly vulnerable to attack, despite their robust investments in cybersecurity.  Deploying two no-cost privacy scans, the External Data Privacy Audit and the Privacy Risk Assessment delivered actionable data highlighting the privacy risk, financial impact analysis and data-driven privacy business case for deploying Privacy Bee.  The results of these audits illustrated to the customer how, despite their serious investment in infosec defenses like employee training, phishing simulation, GRC and policies, network security, endpoint protection, and others, employees’ personal information remains fully exposed and available for purchase in Data Brokers and People Search Sites.  

The customer learned how allowing external data to remain unsecured increased their vulnerability to highly personalized spear phishing and social engineering attacks just like those experienced by MGM Grand and Caesars. Privacy Bee illustrated how PII-infused payloads expand the attack surface of an organization, increasing the risk of a future data breach.

Licensing Privacy Bee for Business was approved by the customer board of directors for the entire executive team, all employees with access to critical information systems and even third-party vendor partners with data systems access. Employee Risk Management and Vendor Risk Management were enabled and Privacy Bee immediately began scanning hundreds of external sources, searching for any exposed privacy risks on each person.  At the same time, the VRM solution began mapping out privacy exposures and vulnerabilities across all the customer vendors and tech solution providers with integrations built into customer systems. 

Discoveries of exposures and vulnerabilities were flagged, included in each employees’ aggregated Privacy Risk Score and were processed for deletion requests.   Over time, as Data Subject Access Requests or ‘DSARs’ were processed for the licensed employees and executives, individuals’ risk scores improved and the overall risk profile of the customer organization fell dramatically. 

Executives and board members as well as mid-level management leaders were all required to engage with Privacy Bee University, for easy-to-absorb trainings on the contemporary privacy threats and how to minimize risk of being victimized.  The Privacy Bee University program focuses on modern threats to a business, including External Data Privacy, the exploitation of People Search Sites to craft highly personalized (and convincing) attacks, and other ways that bad actors bypass your cybersecurity by tricking employees.

Results: After more than a year of engagement with Privacy Bee for Business, the customer has achieved employee and organizational risk scores at or below 15% which is considered a best practice for risk avoidance and EDP risk mitigation.  Hundreds of thousands of exposures have been identified and the unsecured data has been deleted from its former locations at Data Broker and People Search sites. 

The volume of inbound threats via SMS and email has been entirely eliminated and the potential for multi-million-dollar losses – either by theft, ransom or subsequent litigation – has been ameliorated. 

With the hard data concerning privacy management activities produced by the customer using Privacy Bee for Business, the customer was able to update its Governance, Risk & Compliance documentation, demonstrating to investors its commitment to privacy and the protection not only of its workforce and executives, but its customers and the sensitive personal data often collected during hotel stays, travel bookings and gaming activities.  This helped the customer attract and retain additional equity investment they used to expand operations abroad.