Casinos cautioned to restrict access to player card information

Casino companies may not be the only ones keeping track of how many points you have on your player card.

The cards represent a growing number of fraud cases in Las Vegas, as hackers target the popular programs and casinos' customer databases in an effort to gain access to customers' personal information or steal points, gaming regulators and security analysts said.

"We are investigating several cases at the moment," said Jerry Markling, chief of the enforcement division of the Nevada Gaming Control Board in Carson City. "We've been seeing a lot of cases involving players club programs and the stealing of points."

Markling declined to comment on specific cases or give further details.

The problem has become serious enough that regulators sent a letter in December reminding casino companies of their obligations to protect customer information and periodically review their database security.

"Nevada has some very strict laws in place regarding customer confidentiality," said Rob Meyne, vice president of corporate communications with Boyd Gaming Corp. "In addition, the Nevada Gaming Control Board has recently reminded licensees that they are responsible for maintaining security of customer databases."

Meyne stressed that his company takes the issue of customer privacy "very seriously" and provides safeguards for its customers.

Other casino companies declined to comment on the issue.

The security threat doesn't just involve player cards, either.

State gaming officials and security analysts said casinos' smart phone applications -- which require users to provide personal information that is stored in casino databases-- are also a concern. Hackers are attempting to hack into these databases to gain access to credit card or debit card information, or banking and other financial information.

All of this information is potentially at risk, according to security analysts.

"The bad guys like casinos because they have a lot of personal information," said Jon Oltsik, principal analyst with the Enterprise Strategy Group in Milford, Mass. "The days of viruses and worms have been replaced with targeted attacks."

Oltsik said targeted attacks against casino databases primarily come from Eastern Europe.

"They are very skilled and know what they are doing," he said. "They are very good at poking around a network and finding its weak points."

Customer information is vulnerable to theft in other ways, too.

A casino company can easily steal a guest's information off a laptop or personal computer or an employee can be bribed to download sensitive information from the casino's database.

The letter to casino companies about the security threats came from former Control Board member Randall E. Sayre and said there had been "numerous incidents" where databases "have been compromised and the potential for identity information theft existed."

"As technology advances and more and more information is stored in these databases, they will almost certainly become a more inviting target for cyber-criminals," the letter noted.

He also warned about the ease with which this information can be stolen.

"Any area of crime involving the Internet is growing," said Dr. B. Grant Stitt, professor and chair of the Department of Criminal Justice at University of Nevada, Reno.

Sayre's letter did not say which incidents the Control Board had investigated, but two recent incidents that became public involved the theft of personal information in Las Vegas.

In July, a hacker acquired information about attendees at Cisco Live 2010, a computer industry event at Mandalay Bay. The information stolen, however, was not attached to Mandalay Bay's database.

The Desert Rose Resort also reported that an "unspecified number" of guests at the hotel between June and October had their debit and credit card information stolen by a malicious software infection.

Messages left with Shell Vacations Hospitality in Chicago, parent company of Desert Rose Resort, were not returned. In a statement, Shell Vacations President Susan Kelley said investigators found the breach occurred within a specific management software program.

The hotel chain, which doesn't operate a casino at its Las Vegas property, was forced to process credit cards through a separate system, while debit cards were no longer accepted for a time

These two attacks illustrate how cyber-criminals are becoming more targeted in the information they attempt to steal.

Martin Drew, president of iView Systems in Oakville, Ontario, said there is always a threat to databases that store personal and financial information.

"Based on our experience, casinos are very professional about the collection and storage of personal information," said Drew, whose company designs security and surveillance software.

He said while information security is complex, casinos never rely on one layer of protection. They always deploy multiple layers of protection and generally use encrypted information.

"There are no easy fixes," Oltsik said. "Security is the cost of doing business. Take the threats seriously. Remember, I don't have to be in Nevada to get this information."

Contact reporter Chris Sieroty at csieroty@reviewjournal.com or 702-477-3893.