{ "id": "bec2a7d3-d445-4b3c-a0bd-105baee2e5c9", "created_at": "2026-04-06T00:17:32.955978Z", "updated_at": "2026-04-10T03:31:50.027483Z", "deleted_at": null, "sha1_hash": "fb97ca62dbd94a80be8fd168604cc2ab4afe88cc", "title": "Caesars Entertainment confirms ransom payment, customer data theft", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1742969, "plain_text": "Caesars Entertainment confirms ransom payment, customer data theft\r\nBy Sergiu Gatlan\r\nPublished: 2023-09-14 · Archived: 2026-04-05 20:20:54 UTC\r\nCaesars Entertainment, self-described as the largest U.S. casino chain with the most extensive loyalty program in the\r\nindustry, says it paid a ransom to avoid the online leak of customer data stolen in a recent cyberattack.\r\nCaesars discovered on September 7th that the attackers stole its loyalty program database, which stores driver's license\r\nnumbers and social security numbers for many customers.\r\n\"We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files\r\nacquired by the unauthorized actor,\" says an 8-K form filed by Caesars with the U.S. Securities and Exchange Commission\r\non Thursday.\r\nhttps://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We have no evidence to date that any member passwords/PINs, bank account information, or payment card information\r\n(PCI) were acquired by the unauthorized actor.\"\r\nCaesars' 8-K also implies that a ransom demanded by the attackers was paid to prevent the leak of the stolen data online—\r\na Wall Street Journal report says the hotel and casino entertainment company paid roughly $15 million, half of the attackers'\r\ninitial $30 million demand.\r\nNonetheless, Caesars made it clear that it cannot provide any assurances regarding the potential actions of the threat actors\r\nresponsible for the incident, including the possibility that they might still sell or leak the customer's stolen information.\r\n\"We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this\r\nresult,\" Caesars said.\r\n\"We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise\r\nmisused.\"\r\nWhile Caesars didn't link the attack to a specific cybercrime gang or threat actor, a Bloomberg report published on\r\nWednesday claims the attack was conducted by a group known as Scattered Spider.\r\nAlso tracked as UNC3944 and 0ktapus, this financially motivated threat group has been active since at least May 2022.\r\nIt uses a combination of social engineering, multi-factor authentication (MFA) fatigue, and SMS credential phishing attacks\r\nto steal user credentials and breach targets' networks.\r\nData breach impacts only loyalty program members \r\nAccording to Caesars, customers not enrolled in Caesars' loyalty program were not impacted by the data breach. The\r\ncompany will notify all affected individuals over the coming weeks.\r\nThe company said in a separate data breach notification with additional details that it reported the incident to law\r\nenforcement.\r\nIt also added that the attack has not impacted its customer-facing operations, including online/mobile gaming apps and\r\nphysical properties, as they operate without disruption.\r\nCaesars is the second casino chain impacted by a cyberattack recently, with MGM Resorts International disclosing on\r\nMonday that it was forced to take its IT systems offline following a cyberattack that affected its websites, reservation\r\nsystems, and casino services (i.e., ATMs, slot machines, and credit card machines).\r\nIn 2020, MGM Resorts also disclosed a 2019 cyberattack that led to the breach of its cloud services, allowing the hackers\r\nto steal over 10 million customer records.\r\nUpdate: Added more info on Scattered Spider.\r\nhttps://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/\r\nhttps://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/" ], "report_names": [ "caesars-entertainment-confirms-ransom-payment-customer-data-theft" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb97ca62dbd94a80be8fd168604cc2ab4afe88cc.pdf", "text": "https://archive.orkl.eu/fb97ca62dbd94a80be8fd168604cc2ab4afe88cc.txt", "img": "https://archive.orkl.eu/fb97ca62dbd94a80be8fd168604cc2ab4afe88cc.jpg" } }