Phone: 303-887-5864

Email: info@huttanholdingllc.com

About Us
Contact Us

The Caesars Breach: Paying to Keep the Cards Hidden

A $15 Million Ransom Gamble

The Setup

  • September 7, 2023: Caesars Entertainment quietly paid a reported $15 million ransom
  • Discovered just days before the MGM hack
  • Unlike MGM, Caesars chose to pay rather than face operational shutdown
  • The attack began in August 2023, giving criminals weeks of undetected access

The Initial Compromise

  • Attackers gained entry through a third-party vendor
  • Used social engineering to access the vendor’s credentials
  • Moved laterally through Caesars’ systems for nearly three weeks
  • Extracted members’ data from the loyalty program database

The High-Stakes Decision

  1. Why They Paid:
    • Criminals threatened to publish stolen customer data
    • Loyalty program contained sensitive customer information
    • Management calculated potential losses would exceed ransom
  2. What Was at Risk:
    • Personal data of millions of loyalty program members
    • Financial information and gambling histories
    • Potential regulatory fines and class action lawsuits

Financial Impact

  1. Direct Costs:
    • $15 million ransom payment
    • Additional millions in cybersecurity upgrades
    • Potential regulatory fines (still pending)
  2. Indirect Costs:
    • Legal expenses from multiple class action lawsuits
    • Increased insurance premiums
    • Reputational damage and loss of customer trust

Different Casino, Same Game

  1. Comparison to MGM:
    • Both started with social engineering
    • Caesars paid ransom; MGM refused
    • Caesars avoided operational shutdown but faced different risks
  2. Valuation Implications:
    • Cybersecurity incidents are becoming predictable business risks
    • Companies face a lose-lose choice: pay ransom or face disruption
    • Third-party vulnerabilities affect company valuations

Key Takeaways for Valuation Professionals

  1. Due Diligence Considerations:
    • Assess third-party vendor security practices
    • Evaluate incident response plans
    • Consider cyber insurance coverage and limitations
  2. Valuation Model Adjustments:
    • Factor in potential ransom payments as risk contingencies
    • Assess the value of customer data as both asset and liability
    • Consider cybersecurity maturity in risk premiums

Essential Statistics

  • 3 weeks of undetected system access
  • $15 million ransom payment
  • 65+ million members in rewards database
  • Multiple class action lawsuits filed

Emperors of Risk Management

“In ancient Rome, Caesars were known for their strategic decisions. In modern Las Vegas, Caesars Entertainment had to make their own strategic choice: pay the ransom or face the consequences. As valuation professionals, you must help your clients understand that in today’s digital colosseum, cybersecurity isn’t just about technology—it’s about survival.”

Client Advisory Implications

  1. Risk Assessment:
    • Include third-party vendors in security evaluations
    • Assess the value and vulnerability of loyalty programs
    • Consider ransom payment policies in incident response plans
  2. Valuation Adjustments:
    • Factor cybersecurity maturity into company valuations
    • Consider customer data as both an asset and a liability
    • Evaluate incident response capabilities as part of due diligence