On a roll in Vegas? Don’t blow it – keep your digital guard up

Gamblers and dealers beware; whether in Vegas or Monte Carlo, it’s not strictly your wallet that’s at risk of running on empty.

What do gamblers, casinos, and the FBI have in common? If your answer is money, then try again. The digital age has arrived at brick-and-mortar casinos around the world, bringing with it its own flavor, including malice of a different kind than traditional card counters or chip dumping.  

It’s true that casinos are highly regulated and well-protected against fraud of many kinds (often resembling or surpassing the security at hospitals and airports), but these days, it’s cybercriminals who have their eyes set on the grand prize. Casinos bank more than just their guests’ stakes. It’s the sensitive data they keep, such as financial records, personal details, and more, that make up the jackpot nowadays.

With ESET World 2025 taking place in the city of “lost wages” from March 24, 2025, perhaps it’s a good opportunity to raise cyber awareness in an area that might not be so obvious, as, increasingly, it is the data of the city’s guests, rather than the vaults, feed tables, and slot machines, that criminals are interested in.

The city of Las Vegas has many nicknames. Also known as the “gambling capital of the world,” the city is known for its lustrous casinos, luxurious hotels, and, of course, games. Within every casino, virtually hundreds of thousands of US dollars get exchanged daily. In 2023, this accounted for a collective $66.5 billion in casino revenue.

Not even George Clooney’s Ocean’s Eleven character, Danny Ocean, would scoff at such an amount, but even he would be shocked at the idea that there is more to a casino than the contents of its vaults.

Beyond the billions is the valuable data of a casino’s clientele, from people searching for lodging to event organizers, or regular, everyday casino-goers. From an even broader perspective, data on business partners (supply chains that provide the machines and security systems), employees, and even the top managers themselves, would be of great interest.

Why is all of this so interesting to threat actors? Let’s start with the sensitive data, like personal information. Anyone who’s ever checked in at a hotel knows the sort of details they have to provide to be given their rooms, such as:

1. Some form of an ID (state IDs, drivers’ licenses, passports, etc.)
2. Their name, address, preferences, email
3. Payment details

On top of that could be other specifics, such as further personal data (companions, dietary restrictions, accessibility requirements) or more. This much granular data can be very valuable on the black market, with stolen personal data from documents such as IDs or passports costing from hundreds to thousands of dollars per document.

Thus, threat actors roll the dice. In 2023, it came to light that the prominent casino chain MGM Resorts was targeted by a cyberattack, with hackers exfiltrating data such as names, contact information, gender, date of birth, IDs, and even Social Security numbers. The attack reportedly cost the chain around $100 million … certainly not chump change.

So, who’s responsible for the cybersecurity of the casino’s guests? From one point of view, it is the establishment itself, since, as it is providing a service, it needs to cover any liabilities. This is supported by regulations and guidelines recommending tight security, especially for sensitive data. Just off the top, PCI DSS would cover payment data, while the NIST Cybersecurity Framework would help a casino/hotel of any size to enact appropriate cyber measures.

For casinos in Las Vegas, the Nevada Gaming Commission (NGC) has a clear set of cybersecurity regulations for gaming operators to follow.

Perhaps this also places a bit too much of a burden on these places of entertainment. And, while guests don’t want such thoughts on their minds while hitting the jackpot, the reality is that personal awareness plays a big role when all the chips are down. Otherwise, man-in-the-middle attacks, in which cybercriminals create functional, but fake, Wi-Fi access points (aka “evil twin” networks), can gather sensitive data from victims’ devices.

Don’t bet the farm!

There are threats aplenty in the world of casinos. Scams with fake ads copying a well-known casino’s brand can present promising online gambling opportunities with great welcome bonuses. In fact, some of these scams use unauthorized photos of employees and properties to appear legitimate. What’s more, by pretending to be casino staff, bad actors could try to social engineer their way toward sensitive data, or even gain access to a casino’s systems.

What both casino operators and guests have in common is an understanding that stacking the deck in their favor is important. To double down on their security, they should consider:

• Prevention-first security: Simple antiviruses aren’t enough to protect the myriad devices casinos, hotels, or their guests have. Also, as various IoT vulnerabilities and supply-chain breaches enter the mix, these businesses and consumers must be on a proactive lookout. Businesses should consider investing in a platform such as ESET PROTECT Elite, which can provide all-encompassing protection with vulnerability management and advanced threat defense.
• Active threat hunting: For those casinos that lack the right IT staff, it would be wise to invest in a managed security service, such as ESET PROTECT MDR Ultimate, which, on top of product security, also adds highly tailored 24/7 protection with experts acting as your wild card against would-be malice, ensuring business continuity.
• Security audits: This is especially useful for protecting against supply-chain threats. A security audit could highlight weaknesses in casino systems, enabling the defenders to patch them up on time.
• Zero-trust: Access management methods such as zero-trust can ensure proper controls to mitigate the chances of unverified access. For employees, having a solution capable of Secure Authentication is one way to achieve this.
• Integrate: Casinos with existing security solutions should consider diversifying their existing security stacks with additional solutions such as Threat Intelligence. Consider that the more details that are available to an operation, the better and faster their decisions could be, saving a business millions in minutes.
• Mobile Security: Visitors to Vegas are very likely to be on the move. Hopping on and off various networks, trying out new apps, and signing up to promotions for discounts all get safer with a security solution like ESET Mobile Security, which offers protection from viruses, ransomware, and other malware. Prevention First helps you stay safe, evade phishing scams, shop safely, browse, and download files.

Incidentally, advice like this will be discussed at ESET World 2025, at the Aria Resort & Casino in Las Vegas, where experts from all around the globe, from businesses, to analysts, to government actors, will present a path to achieving a secure future. Vegas will be the place to see where progress is protected, and to connect with CISOs, renowned threat hunters, and cybersecurity experts advising CISA, NATO, and Interpol.

There’s no reason not to implement powerful security measures to deter malicious actors from swooping in on one’s turf. This means that casinos, resorts, hotels, and even their guests, should realize that it’s not just everyone’s money they’re after – there are far more compelling reasons to be targeted.