Hotel and casino giant Caesars Entertainment said Thursday that hackers stole a huge trove of customer data in a recent cyberattack, confirming recent media reports.
Caesars said in an 8-K notice with federal regulators filed before markets opened on Thursday that hackers stole a copy of the company’s loyalty program database, which includes driver’s license numbers and Social Security numbers for a “significant number of members.” Public companies are obligated to file 8-K notices when an event or incident has a material effect on their businesses.
Caesars said that other data was stolen in the cyberattack, but did not say what. It’s not clear how many individuals are affected by the incident.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the SEC filing, implying that the company had paid a ransom as reported.
Bloomberg first reported the Caesars incident on Wednesday afternoon on the U.S. east coast, citing sources familiar with the event. The Wall Street Journal later reported that Caesars paid about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data.
Caesars spokesperson Robert Jarrett did not respond to a request for comment.
In a separate data breach notice, Caesars confirmed the cyberattack was caused by social engineering on an outside IT vendor, which Caesars did not name.
According to Bloomberg, the hackers first targeted the hotel and entertainment giant in late-August. The hacking group thought to be responsible, known as Scattered Spider (or UNC3944), is known for using social engineering to trick employees into granting access to large corporate networks. Members of the transatlantic hacking group reportedly include young adults and teenagers, resembling similar hacking and extortion groups like Lapsus$.
A representative for the Scattered Spider hacking group told TechCrunch that they carried out the cyberattack on MGM, but denied involvement with Caesars.
Caesars is the second hotel and casino giant to be hacked in recent weeks, after MGM Resorts reported a “cybersecurity issue” on Monday. Its outage continues into its fourth day with no immediate signs of technical recovery.
MGM has not responded to multiple requests for comment by email and phone. It’s not clear if MGM’s corporate phone lines currently work.
When reached by email, an FBI spokesperson declined to comment on questions related to the incident at Caesars, including whether it was aware or investigating. The FBI spokesperson, who declined to be named, confirmed it was investigating the MGM cyberattack but said it was “not able to provide any additional detail.”
Caesars said it reported the incident to law enforcement. U.S. authorities have long advised victims of cyberattacks and extortion not to pay the ransom.