Caesars Entertainment reportedly paid roughly $15 million in an attempt to placate hackers who threatened to leak the sensitive customer data stolen during a summer cyberattack.
The Las Vegas casino giant’s payout was approximately half of the $30 million that the hackers had demanded, the Wall Street Journal reported on Wednesday.
Caesars admitted that the hackers breached its systems through a “social engineering attack on an outsourced IT support vendor,” according to a regulatory filing.
The bad actors stole a copy of the Caesars’ loyalty program database, including the driver’s license numbers and Social Security numbers “for a significant number” of customers.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”
Caesars did not identify the culprits behind the cyberattack.
However, a group called Scattered Spider or UNC 3944, which specializes in social engineering attacks, is believed to be responsible, two sources familiar with the matter told Bloomberg. The attack reportedly began around Aug. 27.
In social engineering attacks, hackers trick users into providing their log-in credentials or passwords in order to bypass security and gain access to company systems.
The company said there was “no evidence” that customer financial information such as bank account numbers was accessed in the hack. Caesars said it is offering credit monitoring and identity protection services to its loyalty program members.
“The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined,” the filing added.
Caesars representatives did not immediately respond to a request for comment.
The disclosure came days after another major casino operator, MGM Resorts, was crippled by a cyberattack that left guests locked out of their rooms and left slot machines, sportsbooks and other systems inoperable.
Casino staffers resorted to checking in guests by hand, while onsite bars turned into cash-only establishments, according to Bloomberg.