Caesars Entertainment is facing multiple class action lawsuits from hotel guests alleging the company was negligent for allowing their sensitive personal data to be stolen in a social engineering attack.
Caesars disclosed earlier this month that its guest rewards database was stolen after hackers launched an attack against an IT support vendor. Security researchers say the incident was part of a larger campaign by a group called Scattered Spider, which used voice phishing techniques against various organizations.
At least four lawsuits have been filed in the U.S. District Court in Nevada, with the plaintiffs seeking class action status. The plaintiffs are accusing the hotel and casino giant of negligence and unjust enrichment for failing to secure the personal data of hotel guests.
Caesars Entertainment, in a Sept. 14 filing with the Securities and Exchange Commission, confirmed the hackers got a copy of their frequent guest database, which contains Social Security numbers and drivers licenses for a large number of guests.
Caesars Entertainment did not initially file a disclosure about the attack until after the MGM attack had been discovered due to operational issues at those properties. MGM disclosed its cyberattack in a Sept. 12 press release and SEC filing.
Caesars Entertainment said it was still investigating what other information was part of the data theft, however it had no evidence that member passwords, PINs, banking data or credit card numbers were part of the theft, according to the SEC filing.
Caesars Entertainment is one of the largest hotel and casino companies in the world and is a major player in the Las Vegas market. The Reno, Nevada-based firm operates more than 47,000 hotel rooms in 16 states.
The attack took place within weeks of a similar attack against rival MGM Resorts, which operates more than 30 hotel and casino properties globally. The MGM attack caused massive operational disruptions in Las Vegas, where guests were locked out of rooms, payments were disrupted and slot machines stopped working.
Security researchers believe the Scattered Spider threat group was working in some capacity with another group called AlphV/BlackCat. Okta confirmed that it had been the subject of numerous social media attacks and was working with MGM Resorts to help recover from the attacks.
Caesars Entertainment officials were not immediately available for comment