Over the summer, Rivers Casino Des Plaines was hit with the same cyberattack that affected larger casinos like MGM Resorts International and Caesars Entertainment.
Rivers Casino identified the breach in November and notified customers shortly after that.
Now, the Chicago casino faces a class-action lawsuit concerning that data breach in August that compromised sensitive customer information. More than 100 individuals have joined the lawsuit. Their claims exceed $5 million.
Rivers Des Plaines one of several companies effected
So far, no other Illinois casinos other than Rivers has identified data breaches that would put customer information at risk.
Casino giants MGM Resorts International and Caesars Entertainment were hit the hardest in cyberattacks that became public in September. The attacks cost both companies millions of dollars. The two make up well over half the casinos on the Las Vegas Strip. They each handled the attacks differently.
According to reports, hackers requested a $30 million ransom from Caesars, and it paid $15 million. MGM refused to pay its attackers, which cost the company at least $100 million after its servers went down for days.
Identity management company Okta told Reuters that the attacks extended beyond the casino industry, affecting three larger firms in the manufacturing, retail and technology spaces. Okta did not name the companies.
Cyberattack did not impact Rivers’ daily operations
According to the lawsuit filed on Nov. 27 in Illinois’ Northern District Court, the cyberattack did not impact operations at Rivers Casino. The casino said it noticed on Nov. 2 that information had been accessed or removed on or around Aug. 12.
It took the casino almost three months to realize its data was compromised. Rivers said the information stolen included, but was not limited to:
- Full names, phone numbers, email addresses and dates of birth
- Government ID numbers, financial account numbers, tax ID numbers
- Passport numbers and Social Security numbers (collectively the “PII”)
Rivers said it does not believe customer passwords nor payment card information were affected. It added that it had not seen any sign of fraud or identity theft.
In response, the lawsuit claims these victims now face an increased, ongoing and lifetime risk of identity theft. The victims seek compensation for losing their private and confidential information, claiming Rivers exercised negligence in failing to keep this information secure.
What the lawsuit is targeting
The lawsuit says that the casino never disclosed the root cause of the data breach, adding that such facts further victims’ security risks. It claims that data breaches are preventable, and Rivers did not exercise reasonable security procedures to protect its customers’ sensitive information.
Areas in which Rivers fell short, according to the lawsuit:
- Not encrypting PII data
- Not deleting information that is no longer necessary
- Not implementing US Government-recommended measures, such as awareness and training programs, using strong spam filters and firewall configurations, scanning all incoming and outgoing emails, and configuring access controls and permissions.
All this said, data breaches are pretty common. More than 7,300 organizations fell victim to data breaches in the third quarter of 2023, affecting more than 66.6 million individuals. Microsoft, Facebook and Estee Lauder were some of the companies targeted by hackers.
The lawsuit claims that the commonality of data breaches does not serve as an excuse for Rivers. Instead, it makes for an even greater case for why the company should have been more prepared.