Data Breach Graphic
Image from Shutterstock.com

Ontario police are investigating what could be a huge data breach at one of the province’s popular casinos, Casino Rama Resort in the cottage country north of Toronto.

The resort said a hacker claimed on Nov. 4 to have accessed customer, employee and vendor information, some of which dates back nine years. As a result anyone who has been to or worked at the the hotel or  casino are being warned to monitor and verify all bank accounts, credit card and other financial transaction statements and report any suspicious activity to the appropriate financial institution.

“We can confirm that certain employee and customer information was stolen.” the resort said.

feature-casino-rama

“The hacker claims to have accessed information that includes Casino Rama Resort IT information, financial reports regarding the hotel and casino, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information and contracts and employee information including performance reviews, payroll data, terminations, social insurance numbers and dates of birth,” the resort said in a statement on its Web site. “The hacker claims that the employee information dates from 2004 to 2016, and that some of the other categories of information taken date back to 2007.”

The resort said its internal IT team has been working with cyber security exerts to “neutralize the issue.” There is no indication now that the attacker continues to have access to its systems, it added.

UPDATE: On Nov. 14 a Toronto law firm filed an application in the Ontario Superior Court asking that a multi-million dollar  breach of care class action lawsuit be certified on behalf of a man who was at the Casino Sept. 25, gave a driver’s licence and credit card as identification and recieved an email from the resort on Nov. 10 alerting him that Casino Rama had been the victim of a data breach; and a woman who has been to Casino Rama since 1999 and gave personal information to join the resort’s rewards program. Lawsuits filed on behalf of a class of people with identical claims — as opposed to individual lawsuits — have to be approved by a judge. Before the certification others who think they are victims can join the lawsuit.

The lawsuit asks for $50 million in damages plus $10 million in punitive damages from the defendants, who include the Chippewas of Rama First Nation, who own the resort; CHC Casinos Canada; Penn National Gaming, which operates the resort; the Ontario Lottery and Gaming Corp., which oversees gaming in the province; and the provincial Alcohol and Gaming Commission.

Without any details on how the enterprise was breached the first suspicion falls on the hotel, restaurant and gaming point of sale machines. POS machines at hotels and restaurants have been a target for years. In 2009 we reported on a presentation at that year’s SecTor cyber security conference in Toronto that outlined how the POS server at an unnamed club connected to a major Las Vegas casino was breached through an integrator’s remote desktop support app.  Both the username and password was the POS vendor’s name.

Last year we reported that a new variant of a memory scraper POS malware that dates back to 2008 had been victimizing guests in casinos, resorts and hotels in the last few weeks in Canada, United States, Europe, the Middle East and Latin America.

Casino Rama has notified the Ontario Provincial Police (OPP), the Royal Canadian Mounted Police (RCMP), the Ontario Lottery and Gaming Corporation (OLG) , the Alcohol and Gaming Commission of Ontario and the Privacy Commissioner of Canada and the Information and Privacy Commissioner of Ontario.

The resort, which opened in 1996, is owned by and located on the Rama First Nation, and operated by Penn National Gaming, Inc. , a U.S. based conglomerate which,  through its subsidiaries, owns, operates or has ownership interests in hotel, gaming and racing facilities in 16 American states as well as here.

In its statement the resort emphasized that the casino games hadn’t been breached.

In addition to the casino the resort has a 300-room hotel, eight restaurants and a  5,000 seat entertainment centre, which has hosted The Tragically Hip, Jerry Seinfeld, Jason Derulo, Carrie Underwood, Don Henley and production shows such as Dancing with the Stars and  boxing events.

“Overall we’ve seen a rise in attacks targeting gaming institutions like casinos,” said J.Paul Haynes, CEO of eSentire, a Cambridge, Ont.-based managed security provider. “In cases like this where hackers have targeted and obtained sensitive personally identifiable information (PII) like social insurance numbers and credit card information, the effects of a breach can be felt for months and sometimes even years; usually the information ends up for sale on the dark web. With over 3 million customers per year and more than 2000 staff and a number of third party vendors, thousands of individuals could be impacted. All former and current customers and employees should remain vigilant and monitor their accounts for compromise.”