Apr 15, 2024

Caesars Entertainment Files Notice of Data Breach Due to a Cyberattack Against Third-Party IT Vendor

Cybersecurity concept with person using laptop showing digital security interface.

Earlier this month, on October 6, Caesars Entertainment, Inc. filed a notice of data breach with the Attorney General of Maine, Aaron Frey, after it discovered that an unauthorized party gained access to Caesars' IT network through an attack against a third-party vendor company. In the notice, Caesars Entertainment explains that the incident resulted in an unauthorized party accessing consumers' sensitive information, including their names, driver's license numbers, Social Security numbers, and more, leaving millions of its members at risk for identity theft.


Breaking Down the Caesars Data Breach

Around September 7, 2023, Caesars allegedly suffered a massive cyber-attack from a cybercriminal group known as "Scattered Spider" or UNC 3944. According to the Attorney General of Maine report and the filed documentation with the Securities and Exchange Commission, the cybercriminal group was able to infiltrate the company's IT vendor through social engineering. As a result, Scattered Spider was allegedly able to download Caesars' loyalty program database. 

Although Caesars has not yet confirmed what exact information was stolen in the breach, it is alleged that Scattered Spider had access to the personal identifiable information ("PII") of more than 65 million rewards program members. According to the report, the affected PII includes but is not limited to members full names, addresses, phone numbers, email addresses, credit card numbers, Social Security numbers, driver's licenses, passport numbers, license plates, geolocation data, birthdates, purchase information, gaming activity information, biometric information, and health information. 

Once Caesar became aware of the breach, the company initiated its "incident response protocols," implementing measures to reinforce the security of our network, and launched an investigation into the breach with the assistance of a cybersecurity firm. The company also notified law enforcement and state gaming regulators over the event. It is alleged that the cybercriminal group demanded a $30 million ransom, of which Caesars reportedly paid half, as implied in its statement in the SEC filing, "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." 

Founded in 1937, Caesars Entertainment, Inc., previously known as Caesars Entertainment Corporation, is an entertainment and hospitality company based out of Vegas, Nevada, and operates more than 50 properties across the United States. Acquired by Eldorado Resorts in 2020, Caesars Entertainment employs more than 49,000 people and roughly generates an annual revenue of $10 billion. Affected hotels and casinos may include Caesars Palace, the Cromwell, the Flamingo, the Horseshoe, LINQ Hotel & Casino, the Paris Las Vegas, Planet Hollywood Resort & Casino, Harrah's Las Vegas, and the Rio All-Suite Hotel & Casino. 


What Caesar Loyalty Members Can Do To Protect Their Data

On October 6, 2023, Caesars Entertainment sent out data breach letters to anyone affected by the recent data security incident. The letters provide victims with more information on the breach and a list of what information of theirs was compromised. Caesars is offering its affected customers complimentary credit monitoring and identity theft protection services. In order to learn more about the service, affected members can contact their dedicated incident response line at (888) 652-1580 or visit the company's FAQ page

Caesars' loyalty program members can also protect themselves against identity theft by regularly monitoring their credit reports and account statements and reporting any suspicious activity to law enforcement. Victims who received a letter from Caesars Entertainment should contact a class action attorney today to learn more about their legal options. For more information on the Caesars Entertainment data breach, contact a Morgan & Morgan class action attorney by completing our free, no-obligation case evaluation form.