Breaches in online sports betting have always been a substantial issue in the gambling industry. The online gambling industry has become extremely lucrative in the last few years and a major target for cyber criminals. This is because these websites and mobile applications are a gateway to the customers’ credit cards, bank accounts, and other sensitive information. In order to understand the threat these hacks pose and how to avoid becoming another victim, it is important to understand some of the recent attacks and the security vulnerabilities that were exploited.
1. February 2020 | MGM Resorts and Casino Hack
What happened? The first attack to discuss happened in February 2020 when researchers discovered that 142 million personal details on guests of MGM Resorts hotels were stolen and placed for sale on the dark web. This was the result of a misconfiguration of their cloud server that allowed a hacker to breach the database and steal the data. This is the second large scale attack that MGM has reported after announcing 10.6 million guests had their information stolen just last February in the same manner. (See Exhibit A)
Who Were the Victims & How Did it Affect Them? These large-scale attacks target Hotel guests to gain private information such as full names, home addresses, phone numbers, emails, and dates of birth. All this sensitive data can be sold for thousands of dollars on the black market and places the victims at risk of identity fraud, private accounts being hacked, and even their financial information being accessed and stolen. The millions of guests who became victims in this attack included people such as CEOs, Hollywood celebrities, reporters, and even government officials from the Department of Homeland Security and the Transportation Safety Authority. These peoples’ private information can now be purchased by any bad actor or organization and used however they wish.
2. March 2020 | Clubillion
What happened? Clubillion, a popular gambling app which had data hosted on Amazon Web Services, became a victim of a hack after a technical glitch left their data exposed. This meant information such as names, winning track, IP addresses, private messages, phone numbers, and even email addresses were all open to be accessed by hackers.
Who Were the Victims & How Did it Affect Them? It was reported that 200 million records per day were exposed, and the hackers did not need authentication to access these records. Players of Clubillion were located across the world and log action (when players entered the game, won, lost, updated their account, created an account) was available to these hackers and accessed by anyone on the cloud platform. This exposed data made Clubillion’s users vulnerable to banking frauds and other possible cyber attacks. According to Cybersecurity Insider, “Clubillion Data Breach could spell deep trouble to the future of the gaming app as it can lead to loss of trust among players, force EU’s data watchdog to reprimand it for breaking GDPR rules and make Google Play and Apple Store remove it from their respective platforms as it has failed to protect its user data securely.”
3. March 2020 | SBTech
What happened? In late March of 2020 SBTech’s platform was completely taken down in what seemed to be a ransomware attack. The complete shut down lasted a week and affected the hundreds of third-party websites that utilized SBTech’s platform to run their sports betting and online casino services. When a shut down like this happens, the company becomes responsible for all of the damage that occurs to their customers.
Who Were the Victims & How Did it Affect Them? According to a report by ZDNet, SBTech has put aside $30 million in escrow as insurance for covering all the damage and lost income caused by the cyberattack. The company expects that they will receive lawsuits from their third-party application customers who became a victims of the cyberattack by proxy. If the $30 million is not enough, the company has set up a plan to pay up to $100 million for the damages. These kinds of prices are not uncommon in cyberattacks, as they often leave companies paying millions on top of having their data and systems compromised. As attacks continue to increase in number and size, these prices will only go up.
4. October 2020 | Skybetting and Gaming
What happened? A hacker stole the private data of up to 120,000 people recovering from gambling addiction after gaining access to the Skybetting and Gaming private network. The hacker then used this information to attempt to entice these people to follow a link and gamble with false promotions such as “100 free spins.” According to Gamstop, a gambling control service, the breach included around 6 emails and caused a lot of distress to the victims.
Who Were the Victims & How Did it Affect Them? This breach was especially difficult for the victims as it directly attacked those who had previously struggled with gambling addictions and are in recovery. The information the bad actor accessed contained a list of all the people who had explicitly stated they did not want to receive any emails or offers from Skybetting in an effort to remove themselves from gambling culture. With the emotional and mental distress this leak caused the victims who trusted the company with their information, Skybetting must work alongside a law firm in order to determine how best to repay the damage and rebuild the trust people had in them.
5. July 2021 | Hackers Spread BIOPASS Malware
What happened? In July, Cybersecurity researchers warned companies that a new malware was being deployed via watering hole attacks, targeting online gambling companies in China. These attacks would disguise themselves as seemingly legitimate parts of the websites, enticing users to download or click links that would actually contain the malware. These attacks are very sophisticated already and the fact that the malware utilized is still under development and improving shows how complex the attacks we are preparing for in the future could potentially be.
Who Were the Victims & How Did it Affect Them? This attack utilized multiple methods in order to steal user data. Once downloaded from a seemingly trustworthy link or chat box, the malware allows the hacker to download user data straight from the device or even capture the screen of the victim. Any private, valuable data could be stolen from a user without them ever realizing they are carrying the malware. These types of attacks are especially concerning because they are coming from websites that belong to legitimate companies’ users previously were able to trust.
Planning for the Future
With so many attacks on the online gambling industry occurring over the past few years, companies are being forced to consider what the future will hold in terms of security and financial risk. Many organizations, including the American Bar Association, predict that there will be legal ramifications to consider due to the highly private and valuable information that online gambling companies contain. Security as it currently is will clearly not be enough to protect company data. There are many known vulnerabilities that bad actors take advantage of to access sensitive data and steal it. As attacks continue to increase in number and complexity, stronger security measures are more necessary than ever.
Eclypses MTE Technology, a FIPS 140-3 validated technology, prevents bad actors from being able to access and utilize data by encoding it where it is created and lives. Whether inside the Application or Cloud, MTE replaces data with instantly obsolete values which can only be understood by the server and application (See Exhibit B). No attacker will ever be able to make use of or sell your private data, as they will never have access to it, to begin with. MTE can enhance or even replace current securities protecting companies in the gambling industry that need to protect their users’ valuable personal and financial data as attacks continue to rise.