There’s No Gambling in Security at Caesar’s

William Worthington is charged with protecting the personal data of millions of guests who flock to Caesars Entertainment resorts and casinos across North America

The days of the traditional casino heist are long gone. Today’s Vegas thieves use a new set of digital tools to rob casinos—and they’re not necessarily after cash and chips. Hundreds of thousands of transactions occur daily at Las Vegas casinos. Just like Target, Home Depot, or any other major retailer, casinos experience data loss at the point of sale. Unlike some retailers, gaming industry behemoths retain huge amounts of customer data for marketing purposes and rewards programs. And that consumer information is more valuable than the money flowing in and out of the building itself.

In May of 2015, the Hard Rock Hotel & Casino Las Vegas revealed that hackers had been stealing customer information from its servers for up to seven months, citing credit and debit transactions at several point-of-sale locations. Stolen information included names, account numbers, and verification codes. 

Caesars Entertainment’s vice president of information technology security, William Worthington, is keeping a watchful eye on this and other incidents because he knows just how much a negative incident can affect a casino’s bottom line. “It’s about protecting your brand,” he says. “Lost trust isn’t easily regained, and we know that our customers can spend their money at any other casino on the Strip. We have to protect their data so they feel comfortable staying with us.”

More than 170,000 debit and credit cards were affected in the Hard Rock incident. Hackers infected the casino’s point-of-sale system with memory scraping malware that works around encryption to collect sensitive information. The malware is notoriously difficult to detect—but doing so is just one part of Worthington’s big job. He recently sat down with Sync to share his plan for protecting customer data and building a robust security program at Caesars Entertainment.

There’s a lot going on with security these days. As you walk around Caesars, what’s on the forefront of your mind each day?

William Worthington: Loss of PCI, PII, or IP data through theft of data, DDOS, and espionage, because any of these incidents would lead to a loss of brand confidence.

What’s changed in the industry over the last few years?

Worthington: Before the Payment Card Industry Data Security Standard and compliance measures came, the industry as a whole didn’t focus on security as a cost associated with fixing problems. It was easier to pay fines and assume risk, but when those auditable requirements changed, and more focus came because of breaches in the news, risks grew bigger and casinos started shifting their approach.

What’s been your focus since you accepted a position at Caesars in 2012?

Worthington: We work as a cohesive team, and together we are working to complement the strides we’ve made in prevention with robust solutions around detection. More casino companies are reporting compromises, and the frequency of reported breaches across several industries is on the rise. We’ve built a holistic security program with a security in-depth methodology, and in three years we’ve gone from a small unit to a team of thirty-five. We’ve built programs to meet or exceed all standards and regulations, we’ve created a risk heat map, and we’ve reviewed and created all new security policies along with a new security education program. We’ve deployed new security technology and have upgraded to next generation firewalls while deploying data-loss-prevention tools. We simply must be equipped to detect malicious acts and stop an incident before it really starts.

What are you focusing on next?

Worthington: Now that we’ve built the framework with the tools, policies, and processes, we want to measure ourselves against standards and quantify data to show the level of risk Caesars has today. We want to identify the next area of concern and anticipate more than we do today.

Can you guess the biggest change coming in the next eighteen months?

Worthington: I think there will be large changes across all the regulatory bodies as they push for stronger security controls and a focus on an overall security program.

How is the responsibility of a CISO or someone in your position changing?

Worthington: It’s getting more difficult. We have so much data, and mobile threats are increasing as people bring a larger variety of devices into our environment. The perimeter of every business is getting larger and larger, and we must communicate the ever-increasing threat to senior leadership.

So how do you react?

Worthington: By always looking forward and evolving our security programs to adjust to the ever-changing threat landscape. We must continuously monitor the network through log-management systems and advanced analytics to detect possible threats from inside and outside the environment in order to quantify and qualify our security risk to the board. 

You’ve mentioned brand confidence. What else is at stake for a company like Caesars Entertainment?

Worthington: These incidents will impact the bottom line. We track revenue on a daily basis, and if our occupancy drops because of lost trust in our ability to protect data, it’s going to affect our bottom line in a big way. Our higher-end customers come here and spend millions of dollars. The loss of just one customer could make a big difference, and we’re talking thousands of customers impacted in recent incidents at other casinos on the Strip.

What do you learn from observing these attacks?

Worthington: It’s no surprise that they’re going after data, because casinos collect and keep big amounts of customer data. They’re not trying to hack our bank accounts. That’s not where the value is. Attacks are getting larger, and the frequency of attack is greater. The bad actors are customizing attacks to get the exact information they want. They might purchase source code, but they manipulate it to take advantage of a specific environment. The premise of preventing an attack is gone. It takes a big investment to fight back because you have to gather information from every entry point in the network, track all sensitive data, and trigger alerts based on abnormal behavior. 

Tell me about your tokenization program.

Worthington: This has been one great step for us. Caesars has implemented both point-to-point encryption and tokenization to remove all credit card data from all systems that process, store, and transmit it.  This essentially removes all risk to credit card data theft.

How is it possible to remove all risk of credit card data theft?

Worthington: In most POS systems, there’s a split second after the card swipe in which the data isn’t encrypted, and that’s enough time for malware to collect the information. Casinos retain data so we know where people are shopping and how to market to them.
With a third-party token, we remove all of that consumer information and just retain the token that has no value if it’s stolen. We never have the credit card information, and a breach like the one that happened at Hard Rock or Target can’t happen here. As of June 2015, we are 100 percent tokenized and retain no credit card data in our environment.

You host the DEF CON Hacking Conference each year. What do you learn from having the world’s best hackers on your premises?

Worthington: DEF CON attracts around 20,000 participants, including IT security professionals, law enforcement, code developers, gamers, ethical hackers, and kids to come exercise their skills. We take precautions and create the right environment so they can’t step outside of the bubble they’re supposed to be in. It gives us a great chance to work with vendors to see if they can handle a large volume of malicious activity in one space, and I use it to train my staff to investigate incidents or work with tools we deploy in our own space.

What are the keys to success in a casino environment where so many people come and go, sharing personal and financial data along the way? 

Worthington: We know that we have to develop programs that adjust to the threat landscape. The company and the board need to understand that security is a journey and not a destination, so it’s never done. The biggest thing we can do is educate the end user and the patron so they take steps to protect themselves, too. In the end, security is everyone’s responsibility.

Happiest Minds has helped Caesar’s Entertainment set up a Next Gen 24/7 incident detection and response center to detect and protect against current threats and move towards advanced level of situational awareness across the enterprise, by integrating analytics and advance threat intelligence capabilities. Our Cyber Security solutions has helped numerous clients enhance their overall security posture and reduce operational costs.