Rivers Casino has discovered that it was among the casino operators to have had data stolen in a string of cyberattacks earlier this year, although it seems that only one of its casinos was affected. Rivers Casino Des Plaines in Illinois has informed customers and the authorities that it discovered on Nov. 2 that a data breach took place on or around Aug. 12, 2023.
On the casino’s website, it explains the impact of the attack as follows:
Files containing certain personal information of Rivers Casino Des Plaines Team Members, customers, and online sportsbook customers may have been accessed or removed from our network as a result of this incident.
Rivers’ estimated timeline for the incident puts it a few weeks before other high-profile cyberattacks this year. Those on MGM Resorts International and Caesars Entertainment took place in early September. There’s no indication at this time of whether the incidents are related. However, the hacker groups reportedly responsible for those attacks—Scattered Spider and ALPHV—were on a spree at the time. They are known to have hit multiple businesses within and outside the gambling industry.
It is unclear why the breach remained undetected by Rivers for nearly three months. However, it suggests that, unlike MGM and Caesars, Rivers did not receive an immediate ransom demand.
What Should Rivers Des Plaines and BetRivers Customers Do?
The nature of the stolen data is similar to those other incidents. It includes personally identifiable information such as addresses, dates of birth, and drivers’ license numbers. In some cases, social security or passport numbers were also stolen. As with MGM and Caesars, Rivers has been quick to assure its customers that it does not believe that any passwords or payment card data were affected.
Rush Street Interactive also operates the BetRivers online sportsbook in Illinois, in partnership with the land-based property. The attack didn’t directly affect the online platform, but some of its users were included in the breach. This may have been through the shared Rush Rewards loyalty program, as this was what happened with the MGM and Caesars attacks.
Rivers Des Plaines has established an incident response center to deal with customers’ concerns. It’s available weekdays from 8 a.m. to 5:30 p.m. at 1-866-983-3108.
The operator suggests that those with remaining concerns can contact the Federal Trade Commission, TransUnion, Equifax, or Experian for information on fraud monitoring and security freezes.
Class Action Proposed in Illinois Federal Court
It didn’t take long after the September attacks on MGM and Caesars came to light for their customers to file multiple class actions against them. The same is now happening for Rivers’ owner Midwest Gaming & Entertainment.
On Nov. 21, five days after Rivers disclosed the incident, the law firm Wolf Haldenstein Adler Freeman & Herz LLP put out a call for Rivers customers to get in touch about their legal rights.
On Nov. 27, a proposed class action appeared in the US District Court for the Northern District of Illinois. One Michael Glebiv filed the suit on behalf of himself and his fellow customers. His representation is Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman LLC (aka Milberg Law), so there are at least two firms working on such litigation.
Like those other cases, the complaint focuses on the idea that Rivers could and should have done more to protect its customers’ data. Because Rivers only informed customers in November, Glebiv’s suit also accuses Midwest of “failing to provide timely and adequate notice” of the breach.
The following excerpts from Glebiv’s complaint show the thrust of the suit:
Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining for Plaintiff and Class Members, causing the exposure of [personally identifiable information], such as encrypting the information or deleting it when it is no longer needed […]
Defendant breached its obligations to Plaintiff and Class Members and/or was otherwise negligent and reckless because it failed to properly maintain and safeguard its computer systems, networks, and data […]
As a result of Defendant’s ineffective and inadequate data security practices, the Data Breach, and the foreseeable consequences of [personally identifiable information] ending up in the possession of criminals, the risk of identity theft to the Plaintiff and Class Members has materialized and is imminent, and Plaintiff and Class Members have all sustained actual injuries and damages.