January 18, 2023

  • Phil Savage, Head of European Affairs, IMGL

Getting up to speed with cyber security

As regulators rush to raise the cyber security bar, the industry has plenty of reasons to get ahead of the hackers says Phil Savage

Recent high profile instances of online sports betting companies being hacked and consumer data and funds being stolen have rattled consumers. The breaches have resulted in knees being jerked by operators, regulators and investors alike whilst trade bodies have commissioned reports and convened working groups to help tackle the problem. Cyber security is not a new challenge but there are new reasons to take it seriously.

A November cyber breach at DraftKings, resulted in six-figure losses from customer accounts. The company played down the breach saying that it had found “no evidence that DraftKings’ systems were breached” and that they had “identified less than US$300,000 of customer funds that were affected”. However, the scale of unauthorized intrusions reported on social media led industry experts to question whether the number could be substantially higher. This fear turned to fact when Draftkings filed a data breach notification with the Main Attorney General’s office disclosing that the data of 67,995 people was exposed in the incident. The company said the attackers obtained the credentials needed to log into the customers’ accounts from a non-DraftKings source. The filing said that hackers could have viewed multiple data points including the account holder’s name, address, phone number, email address, the last four digits of their payment card, profile photo, transaction details, account balance and the date of the last password change. They clarified there was currently no evidence that the attackers accessed Social Security numbers, driver’s license numbers or financial account numbers.

The attack was a so-called credential stuffing breach where data obtained elsewhere was used speculatively to log-in to Draftkings customer accounts. In this type of attack actors use automated tools to make repeated attempts (up to millions at a time) to gain access to user accounts using credentials (commonly in user/password pairs) stolen from other online services. Consumers using the same login details on multiple website accounts are considered low hanging fruit and vulnerable to this kind of activity.

Incidents like this are not new but the recent dramatic expansion in the number of US states legalizing online gambling has led to warnings from the FBI and others that the attacks are growing in volume. Identity and access management company Okta estimated that up to one-third of all sign-in attempts are malicious and fraudulent across the platforms it monitors.

Draftkings is not alone when it comes to being targeted by hackers. BetMGM, a joint venture between MGM Resorts International and Entain, wrote to customers in December 2022 informing them of a breach that had taken place the previous May. While t he b etting fi rm d id n ot d isclose t he number of customers whoose information had been stolen, the likely attackers are already selling it online. Threat actor “betmgmhacker” boasted that “We breached BetMGM’s casino database current as of Nov 2022”.

The stolen information was for sale on a hacking forum and described as “inclusive of every BetMGM casino customer (over 1.5M) as of November 2022 from MI, NJ, ON, PV, and WV.”

FanDuel, another major sportsbook was reportedly targeted in the same attack as Draftkings. This comes on top of issues experienced by the company in Canada earlier in the year where the operator reported its sports betting and casino app had “experienced a technical incident” as a result of a technology change by a third-party vendor. During that time, some customers could have had access to other customers’ account information. When this was discovered FanDuel said it shut down the platform and froze affected accounts while it resolved the issue. The incident attracted the attention of the regulator for sports betting in Ontario. The Alcohol and Gaming Commission of Ontario said in September it would be “conducting a full regulatory review” of the matter which will in turn trigger a requirement for FanDuel to inform the UK Gambling Commission and regulators in other countries where it has operations. FanDuel’s parent company, Flutter Entertainment PLC, noted in its interim financial results in August that cyber resilience and the protection of data was a key risk it needs to manage.7

The regulator’s response

The Canadians are not the only regulators taking an interest in the situation. US legislators and regulators are working proactively to enact safeguards that will help lower the probability that another large sportsbook will experience a major cyber disruption. Following industry consultation, the Nevada Gaming Commission (“NGC”) updated its regulations to require its casinos to formulate tighter controls over cybersecurity threats and their online operations to better protect against leaks of sensitive information such as client data, and to promptly report cybersecurity attacks to the NGC.

A summary of the measures contained in Nevada’s new regulations are as follows:

  1. Operators should take “all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks.” Operators must document the precautions taken and make them available to the NGC upon request. Operators must secure personal information gathered from patrons and employees as well as the operator’s own records.
  2. Operators should conduct a risk assessment and adopt cybersecurity best practices by December 31, 2023. Operators will need to monitor attack trends and periodically reassess their security practices to update their safeguards and risk assessment.
  3. Operators should notify the NGC no later than 72 hours after becoming aware of a cyber attack that results in the material loss of control, compromise, or disclosure of information, investigate the attack, and prepare an investigative report to be shared with the Commission upon request.
  4. Operators should retain an outside cybersecurity analyst to review the operator’s security practices annually and attest in writing that those practices comply with the NGC’s regulations.

Nevada’s stance has been seen by some as relatively relaxed. Its regulations give casinos a year to develop adequate cybersecurity solutions and procedures, and companies will also have relative freedom in implementing their new cyber security features. Following input from the Nevada Resorts Association and the Association of Gaming Equipment Manufacturers, the NGC gave operators a lot of leeway with the new regulations, making them intentionally vague and open to interpretation. Since the rules mostly lack strict requirements, they provide casinos with opportunities to cooperate with authorities like the FBI and other agencies before submitting a detailed report to the NGC.

While other states could adopt similar policies, it remains to be seen whether hackers will still be able to exploit enforcement gaps. That said, the industry is waking up to the need to reassure consumers and take pre-emptive measures to reduce the chances of being targeted irrespective of regulatory pressure to do so.

Gaming as well as gambling

Cybercrime is common across consumer verticals so it is no surprise that the gaming sector has also been targeted. Attacks increased by 167 percent in the last year, according to a new report by cybersecurity firm Akamai.

The research found that the United States is the main target of attackers, followed by Switzerland, India, Japan, the United Kingdom and other nations throughout Europe and Asia. The report also claimed that gaming is the industry hit by the most distributed denial-of-service (DDoS) attacks globally, accounting for 35 percent of all DDoS traffic worldwide.

Akamai found that the gaming industry shows no signs of slowing down from the boost provided by COVID-19 lockdowns and social distancing. In parallel with that growth cyber-criminals have continued perpetrating attacks on gamers and game platforms, with web application attacks having more than doubled over the past year. This has been particularly apparent in cloud gaming where continued expansion has been matched by hostile activity. The rise of micro-transactions also represent a huge draw for criminals who can capitalize on the spending power of gamers and the fungible nature of virtual assets, according to the report.

Fraud is just one threat

While fraud and, to a lesser extent, money laundering are concerns, the theft of sensitive customer information may be more damaging long term to operators and customers. Online gambling companies routinely collect and are often required to hold extensive data on customers including their age/date of birth, Social Security number, physical and email addresses and other information used to verify their identity. Accounts contain financial and banking information, passwords and security questions and customer location, habits and preferences may also be tracked. This collection of data is not limited to online sports betting and casino sites. Esports, video gaming and similar online apps also face similar questions regarding data security.

In Europe a comprehensive legal framework covering data and privacy has been adopted through the General Data Protection Regulation (GDPR) which became effective in 2018. This stems from the view that privacy and the protection of personal data are fundamental rights. By contrast, the American view is that the relationship between a consumer and a commercial entity is contractual and the terms of service of gambling, gaming and other consumer sites tend to give control over personally identifiable information to the commercial entity.

While data protection and data privacy are recognized as critical dimensions of cybersecurity law, regulation, and policy, these issues have yet to be addressed in a single, comprehensive federal data protection law. That is not to say that privacy and data protection are unregulated. In their 2021 paper for the American Bar Association Kathryn Rand and Steven Light listed eight federal laws that address data security in specific areas:10

  • Children’s Online Privacy Protection Act (COPPA)
  • Computer Fraud and Abuse Act (CFAA)
  • Consumer Financial Protection Act (CFPA)
  • Electronic Communications Privacy Act (ECPA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Trade Commission Act (FTC Act)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Fair Credit Reporting Act (FCRA)

Whilst these acts would appear not to have an immediate bearing upon online gambling and gaming, they provide a network of protections which operators must have regard to. The Children’s Online Privacy Protection Act (COPPA), for example, outlaws the collection of personal information from children without verifiable parental consent. As a consequence, many gaming apps directed at children avoid any potential infringement of child privacy stipulations by creating a “zero-data” environment that does not collect any information, either directly or anonymously, from users.

In addition to federal laws, hundreds of bills have been passed at state level which address privacy, cybersecurity, data breaches and consumer protection. There are also numerous state laws relating to data disposal.

An international dimension

Gaming companies that suffer data breaches in the USA may feel their responsibilities extend only as far as US federal and state laws. However, the increasing numbers of operators with interests in Europe and elsewhere mean they are often impacted internationally too, irrespective of whether they are physically located in those territories. US companies with customers in the UK are required to register with the Information Commissioner’s Office (ICO) and to notify the authorities if a breach has occurred whether or not UK customers have been impacted. Similar requirements apply in mainland Europe where companies are obliged to liaise with authorities in the country where most of their data processing occurs. Since Brexit EU companies with UK customers also have to register with the ICO. The penalties for non-compliance can be sizeable: up to €20 million or four percent of annual global earnings whichever is the larger.

Although not a gambling industry case, Marriott International, Inc (“Marriott”) was fined £18.4 million by the UK ICO over GDPR violations relating to its subsidiary Starwood Hotels and Resorts Worldwide (“Starwood”). The case has some notable features namely:

  • that the breach pre-dated Marriott’s 2016 acquisition of Starwood although was not discovered until after the acquisition was complete
  • Marriott notified the ICO when it discovered the attack in 2018
  • that it was the US Parent company’s systems which were deemed to have failed and a fine levied accordingly on its worldwide operation.

The size of the penalties (£18.4 million was a reduction from an initial proposal of a £99 million fine) and evidence that regulators are willing to adopt them should serve as a wake-up call to operators who sometimes act as if the inconvenient laws enacted by countries where they do business don’t apply to them.

A question of confidence

Regulators will always be playing catchup as hackers and fraudsters use sophisticated and rapidly changing technology. However, operators often have access to the technical expertise needed to take action and can make the business case for doing so. When news of the DraftKings hacking incident came through, the company’s share price tumbled 10 percent.

Whilst much of the lost ground was quickly made up it wasn’t just shareholders who were upset at the breach.

Customers affected by the situation were very vocal on social media in a PR disaster for the sportsbook. Some claimed to have watched their accounts being drained of funds whilst being unable to contact DraftKings’ support team. Understandably, the focus of the industry has been on onboarding as many new customers as possible as part of the land grab which has followed legalization. Having ploughed US$ millions into marketing, the industry will need to pivot rapidly towards a service-based approach if it is not to see the trust and confidence of those hard-won customers eroded.

Europe’s GDPR may be seen as regulatory overreach but it can also be part of a process of reassuring customers that their data (and their funds) are safe from fraudsters and hackers. Recognizing this fact, the European Gaming and Betting Association (EGBA) issued an industry code which addresses specific features of the online gambling services sector. The code provides operators with clarity on areas where interpretation of GDPR implementation is needed, as well as ensuring that players feel confident that their personal data is used appropriately.

Best practice for cybersecurity and data privacy

In light of the rising threats from criminals and increasing demands from regulators, online gambling companies should invest in implementing cybersecurity and data privacy best practices and use any breaches as a learning opportunity to prevent future attacks. Fraud ranging from identity theft, credit card fraud, or account takeovers happens in every e-commerce vertical. The online gaming space is unique in holding so much data, including precise geolocation information, and can link users and accounts, digital devices and payment methods together. This should allow the industry to spot fraud quickly preventing large-scale losses, and also to identify the perpetrators. Utilizing data to detect fraud not only protects customers but should make the experience of trusted players better and more friction free.

Credential stuffing attacks of the like suffered by DraftKings show that customers must also play their part in online privacy and security. To prevent fraud, customers must accept some inconvenience and be encouraged to adopt good cyber-security hygiene. Consumer education is part of the solution to online frauds of all kinds and represents best practice in cybersecurity. Best practice also includes:

  • Following best practice policies and procedures issued by government agencies and industry groups wherever a company has customers;
  • Developing contacts proactively with law enforcement agencies and third-party cybersecurity providers;
  • Ensuring that executives, including board members, know and are bought into the fact that cybersecurity is their responsibility;
  • Regularly reviewing cybersecurity incident response policies and procedures and staff training;
  • Investing in secure payment systems to process transactions.

Hackers — like any other criminals — follow the money. It is inevitable that the massive increase in sports betting in the US will attract cyber criminals looking to steal funds and disrupt platforms. Other industries and other parts of the world have already faced these challenges and solutions do exist. Gaming companies, particularly those that generate the bulk of their revenue online, have no choice but to diligently invest in cybersecurity. Those that fail to do so risk inviting data breaches and with that, the possibility of harsh judgment of regulators, in the court of public opinion and in the investment community.