Casino giant Caesars sends breach notifications to thousands • The Register

As more details emerge from September’s Las Vegas casino cyberattacks, Caesars Entertainment – the owner of Caesars Palace – has disclosed more than 41,000 Maine residents alone had their info stolen by a ransomware gang.

In a Friday filing with the the US state’s Attorney General’s office, Caesars disclosed extortionists siphoned 41,397 Mainers’ data, and listed the total number of victims “TBD.”

The hotel, restaurant, and casino chain described the theft as follows:

The hotel chain’s loyalty program was pillaged and Caesars noted that the stolen personal data included names and driver’s license numbers and/or identification card numbers. According to the filing, the crooks didn’t access customers’ financial information nor payment details.

In an attached security breach notification letter [PDF], Caesars told customers that the entertainment conglomerate has “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”

These steps, we’d assume, including paying the ransom demand – which was reportedly negotiated at $15 million after an initial demand for $30 million.

“To ease any concern you may have, we are offering you complimentary identity theft protection services for two years through IDX, a data breach and recovery services expert,” the notification letter continued. 

“This identity protection service includes two years of credit and dark web monitoring to help detect any misuse of your information, as well as a $1,000,000 insurance reimbursement policy and fully managed identity restoration in the event that you fall victim to identity theft.”

The casino giant first confirmed the data theft in an SEC filing in September, but has yet to comment on the reported ransom paid to the ransomware crew. 

Caesars has not responded to multiple inquiries from The…