2023-09-14 Caesars Entertainment, Inc. Cybersecurity Incident

Page last updated on April 11, 2024

Caesars Entertainment, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-09-14 09:00:58 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-09-14
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-09-14

Caesars Entertainment, Inc. filed an 8-K at 2023-09-14 09:00:58 EDT
Accession Number: 0001193125-23-235015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 8.01

Other Events. Caesars Entertainment, Inc. (the “Company,” “we,” or “our”) recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company. Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption. After detecting the suspicious activity, we quickly activated our incident response protocols and implemented a series of containment and remediation measures to reinforce the security of our information technology network. We also launched an investigation, engaged leading cybersecurity firms to assist, and notified law enforcement and state gaming regulators. As a result of our investigation, on September 7, 2023, we determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database. We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor. We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor. We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program. To sign up for these services, members may call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays. Additionally, we will be notifying individuals affected by this incident consistent with our legal obligations. These notifications will be made on a rolling basis in the coming weeks. In the meantime, individuals with questions may contact the dedicated incident response line we have established to address questions about this incident, which can be reached at (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays. While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents. These efforts are ongoing. We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems. We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined. Although we are unable to predict the full impact of this incident on guest behavior in the future, including whether a change in our guests’ behavior could negatively impact our financial condition and results of operations on an ongoing basis, we currently do not expect that it will have a material effect on the Company’s financial condition and results of operations. The trust of our valued guests and members is deeply important to us, and we regret any concern or inconvenience this may cause. For additional information, please visit https://response.idx.us/caesars. Information set forth on that website is not incorporated herein by reference.
Forward-Looking Statements This report includes “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. When used in this report, the terms or phrases such as “anticipates,” “believes,” “projects,” “plans,” “intends,” “expects,” “might,” “may,” “estimates,” “could,” “should,” “would,” “will likely continue,” and variations of such words or similar expressions are intended to identify forward-looking statements. Examples of such statements include, but are not limited to, the scope of data that was accessed and copied by the unauthorized actor; the efficacy of the steps that we have taken to prevent the release of customer data and future cybersecurity incidents; and the impacts of the cybersecurity incident on our guests and on the Company’s business, financial condition and results of operations. We may uncover additional facts not currently known to us, which may cause us to reassess such matters. Factors that could cause actual results to differ materially from those expressed or implied include the following: the ongoing assessment of the cybersecurity incident and our ability to fully assess and remedy the incident; the impact of the cybersecurity incident on our guests and our relationship with existing and future guests; legal, reputational and financial risks resulting from the cybersecurity incident or additional cybersecurity incidents; our ability to recover under our cybersecurity insurance policies and make indemnification claims against third parties; our ability, and the ability of our outsourced vendors, to implement corrective measures to protect against future cybersecurity incidents; litigation or regulatory proceedings that may be brought against the Company as a result of the cybersecurity incident; and the other factors set forth in the Company’s Annual Report on Form 10-K for the year ended December 31, 2022, and other public filings with the Securities and Exchange Commission. These forward-looking statements speak only as of the date of report, even if subsequently made available on our website or otherwise, and we assume no obligation to update any forward-looking as a result of new information or future events or developments, except as may be required by law.

Company Information