December 15, 2014//Ellen NeveuxLast Updated: May 30, 2018
Hackers had personal motives – targeted weak digital security
Casinos are infamous for their elaborate physical security — think Ocean’s 11 — but this attack shows the limited cybersecurity of one of the world’s largest casino brands. Earlier this year, Las Vegas Sands Corp was hit with a crippling cyber-attack that brought down servers and exposed sensitive data. The breach occurred in February but was not made public until last week following a Bloomberg Business article detailing the attack. The piece discussed the hacker’s motives, but also described the Sands’ poor digital security protocols.
On the day of the attack, hundreds of Sands employees tried frantically to salvage any working machines. Bloomberg reports, “IT staffers scrambled across the casino floors of Sands’ Vegas properties — the Venetian and its sister hotel, the Palazzo — ripping network cords out of every functioning computer they could find, including PCs used by pit bosses to track gamblers and kiosks where slots players cash in their tickets.”
Event highlights need for secure credential management
The event highlights the urgency of secure credential management. The hackers gained access to the corporate network after stealing the credentials of a senior systems engineer. “Those credentials got the hackers into the gaming company’s servers in Las Vegas,” Bloomberg reported. “As they rifled through the master network, the attackers readied a malware bomb. Typing from a Sony (SNE) VAIO computer, they compiled a small piece of code, only about 150 lines long, in the Visual Basic programming language.” The hackers made public personal information about Sands Bethlehem employees, including emails and social security numbers.
The motives behind the Sands attack were not monetary as in some other breaches we’ve seen this year, i.e. Target. Similar to the speculation surrounding the Sony Pictures breach, this attack was personally motivated. Billionaire and Sands CEO, Sheldon Adelson, appears to be the hackers’ target.
During a speech Adelson gave to a Yeshiva University audience in October of 2013, he outlined how he would aggressively handle Iran’s nuclear program. The statements quickly circulated the web and Iran’s Supreme Leader Ayatollah Ali Khamenei responded with disciplinary demands of the U.S. government.
Adelson is known to have advanced physical security measures in place – millions spent on personal bodyguards and a fortune in state-of-the-art vaults and cameras for the casinos. However, the digital life of the empire has been “slow to adapt,” according to Bloomberg, “Two years ago it had a cybersecurity staff of five people protecting 25,000 computers, according to a former executive.”
Preparation and a clear, honest understanding of your vulnerabilities are pivotal in avoiding being a target. Regardless of an attackers motive – financial, strategic or personal – the companies that appear to be low-hanging fruit will be the first to be breached.
Read this white paper to learn ways you can meet compliance and industry regulations.