IMGL Magazine January 2023

CYBER SECURITY

services. Consumers using the same login details on multiple website accounts are considered low hanging fruit and vulnerable to this kind of activity. Incidents like this are not new but the recent dramatic expansion in the number of US states legalizing online gambling has led to warnings from the FBI 3 and others that the attacks are growing in volume. Identity and access management company Okta estimated that up to one-third of all sign-in attempts are malicious and fraudulent across the platforms it monitors. 4 Draftkings is not alone when it comes to being targeted by hackers. BetMGM, a joint venture between MGM Resorts International and Entain, wrote to customers in December 2022 informing them of a breach that had taken place the previous May. 5 While the betting firm did not disclose the number of customers whoose information had been stolen, the likely attackers are already selling it online. Threat actor “betmgmhacker” boasted that “We breached BetMGM’s casino database current as of Nov 2022”. 6 The stolen information was for sale on a hacking forum and described as “inclusive of every BetMGM casino customer (over 1.5M) as of November 2022 from MI, NJ, ON, PV, and WV.” FanDuel, another major sportsbook was reportedly targeted in the same attack as Draftkings. This comes on top of issues experienced by the company in Canada earlier in the year where the operator reported its sports betting and casino app had “experienced a technical incident” as a result of a technology change by a third-party vendor. During that time, some customers could have had access to other customers’ account information. When this was discovered FanDuel said it shut down the platform and froze affected accounts while it resolved the issue. The incident attracted the attention of the regulator for sports betting in Ontario. The Alcohol and Gaming Commission of Ontario said in September it would be “conducting a full regulatory review” of the matter which will in turn trigger a requirement for FanDuel to inform the UK Gambling Commission and regulators in other countries where it has operations. FanDuel’s parent company, Flutter

Entertainment PLC, noted in its interim financial results in August that cyber resilience and the protection of data was a key risk it needs to manage. 7

The regulator’s response The Canadians are not the only regulators taking an interest in the situation. US legislators and regulators are working proactively to enact safeguards that will help lower the probability that another large sportsbook will experience a major cyber disruption. Following industry consultation, the Nevada Gaming Commission (“NGC”) updated its regulations to require its casinos to formulate tighter controls over cybersecurity threats and their online operations to better protect against leaks of sensitive information such as client data, and to promptly report cybersecurity attacks to the NGC. A summary of the measures contained in Nevada’s new regulations 8 are as follows: 1. Operators should take “all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks.” Operators must document the precautions taken and make them available to the NGC upon request. Operators must secure personal information gathered from patrons and employees as well as the operator’s own records. 2. Operators should conduct a risk assessment and adopt cybersecurity best practices by December 31, 2023. Operators will need to monitor attack trends and periodically reassess their security practices to update their safeguards and risk assessment. 3. Operators should notify the NGC no later than 72 hours after becoming aware of a cyber attack that results in the material loss of control, compromise, or disclosure of information, investigate the attack, and prepare an investigative report to be shared with the Commission upon request. 4. Operators should retain an outside cybersecurity analyst to review the operator’s security practices annually and attest in writing that those practices comply with the NGC’s regulations.

3 https://www.ic3.gov/Media/News/2022/220818.pdf 4 https://auth0.com/blog/top-insights-from-our-2022-state-of-secure-identity-report/ 5 https://www.documentcloud.org/documents/23509327-betmgm-individual-notice 6 https://www.bleepingcomputer.com/news/security/leading-sports-betting-firm-betmgm-discloses-data-breach/ 7 https://www.flutter.com/media/ehcozwfo/flutter-2022-interim-financial-statements-final.pdf 8 https://gaming.nv.gov/modules/showdocument.aspx?documentid=19295

PAGE 23

IMGL MAGAZINE | JANUARY 2023

Made with FlippingBook flipbook maker