Caesars Rewards Members are receiving notice of the data breach that occurred more than a month prior. The breach occurred in August 2023, but Caesars did not report it to regulatory officials until September 2023 and is finally notifying victims in mid-October 2023. The loss of data includes victim’s names, driver’s licenses, or other government-issued ID numbers. A separate legal filing is claiming that Caesars actually exposed consumers’ names, mailing addresses, telephone numbers, email addresses, dates of birth, driver’s license numbers, and Social Security numbers.

The attackers demanded money after they were in possession of the data and Caesars decided to pay the ransom.

I cannot express how disappointed and frustrated I am with Caesars response!

Takeaways:

1. Caesars cybersecurity posture was unable to prevent or quickly detect and contain the data breach — which shows immaturity in their investment and operational procedures

2. Caesars failed to protect, encrypt, or delete unnecessary data. — showcasing a failure in management to properly respect acceptable data collection, destruction, and privacy practices

3. Caesars paid extortion money to untrustworthy criminals, who may be working for an aggressive nation-state that is committing atrocities — which makes them unethical

4. Caesars took over a MONTH to inform victims that their data was exposed, giving that window of time to criminals and allowing greater victimization — showing that Caesars does not really care about its customers, but rather how well it can control negative brand implications

Infuriating statements in the notification letter:

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” — You paid the ransomware extortion and you are not ensuring anything! The data is exposed and in the hands of unscrupulous cybercriminals who are motivated by money. They will sell it as many times as they can because well, money!

“…recently identified suspicious activity…” — that was well over a month ago?!? News agencies have been reporting this for weeks. Your delay is inexcusable. This is why the industry is supporting the SEC reporting requirements of 4 days!

“While we do not have any specific reason to believe that you are at risk of identity theft or fraud as a result of this incident…” — so a criminal that breached your security, stole sensitive data, and extorted money from you is not considered a specific reason for the risk of identity theft or fraud? Absurd, incompetent, and flat-out insulting.

This is the wrong way to handle data breaches! It is what happens when corporate lawyers and marketing people are allowed to decide how a cybersecurity crisis response should proceed.

Not surprisingly, Caesars is already facing class action lawsuits. Where do I sign up?