ACID Technologies provides the gambling industry with 24/7/365 dark web monitoring services, while also monitoring the deep web and multiple additional sources and platforms. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the intended victim to effectively respond to the threat and mitigate its harmful impact on its operation, whether service disruption, ransom demand, data theft or other.

What makes the online gambling industry attractive to cyber attackers?

The online gambling industry is continuing its year by year upward trend. The number of gamblers worldwide is estimated at about 1.6 billion; approximately 10% of these are online gamblers. By 2029, their number is expected to be more than 290 million (Statista). Increased digitization, and the use of mobile phones, apps and e-wallets has contributed to the ease of gambling online and helped fuel the growth of this industry.

The revenue in the online gambling market is projected to amount to $97.15 billion in 2024, and continue growing annually, reaching $132.9 billion in 2029 (Statista). Grand View Research expects the global online gambling market to grow at a compound annual growth rate (CAGR) of 11.7% from 2023 to 2030, from $66.53 billion in 2022.

The growing number of online gamblers and the increasing revenue of this industry do not escape the attention of cyber attackers looking to steal personally identifiable information (PII) and make an easy profit.

Free gambling apps are particularly vulnerable. A case in point is the cyber attack waged on the Clubillion Gambling app, which offers gamblers more than 30 slots for free. Its users are spread around the world, in the USA, Canada, Australia, India, Indonesia, Brazil, Germany, Poland, Italy, Spain, the Netherlands, Russia and more. Housed on a misconfigured Elasticsearch engine, the unprotected database recorded up to 200 million records per day (50GB), including details of technical activity of both Android and iOS users around the globe, as reported by Bitdefender, citing a vpnMentor report. The investigation covered in this report revealed that sensitive data was leaked because of a technical glitch throwing details like names, winning track, IP addresses, private messages in account, phone numbers and email IDs open to be accessed by hackers.

The report further stated that “every time an individual player took any action on the app, a record was logged.” The researchers warned that “if cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device.” The leaked information could also be used by cybercriminals to perpetrate phishing attacks, which poses additional risks.

What are the main risks faced by the online gaming industry?

The main risks include:

• Financial risks associated with fraud, resulting from account takeovers, scams and abuse of bonuses.
• Data breaches, perpetrated with the intention to steal PII, financial information and other sensitive user data, which online gambling operators possess in immense quantities.
• Service disruption, causing loss of users’ trust in the online gambling platform and their preferring a competitor’s platform. Loss of user confidence translates directly into more lost revenue – in addition to the loss of revenue resulting from system downtime. Such disruption can be caused through the launch of Distributed Denial of Service (DDoS) attacks.
• Regulatory noncompliance, covering data protection, but not only, is a major risk factor. Online gaming platform operators are legally obligated to comply with the requirements of both local and international regulators. The implications of failure to comply, when such immense amounts of personal and other sensitive data are involved, can be formidable. The requirements include, but are not limited to, the European General Data Protection Regulation (GDPR), which governs the collection, storage and processing of data, and is considered by many as setting a global standard. The UK Gambling Commission, as another example, has set regulations that apply to UK operators. In the USA, the situation is far more complicated, as the different states exercise their authority to set requirements of their own.
• Supply chain attacks, through third-party vendors of the gambling platform operators. These can be a weak link if they fail to implement adequate cybersecurity safeguards and regularly upgrade them as needed.

What are some of the main GDPR requirements, and the penalties for noncompliance?

In general terms, the GDPR deals with data protection, and is especially relevant to the online gambling industry in light of the vast amount of sensitive information it holds. One of its main principles is that personal data must be processed “lawfully, fairly, and transparently.” This means that online gambling platforms are obligated to collect such information only after having received the informed consent of the users, and also provide them with the option of requesting that their personal data, which had been collected by the platform operator, be deleted upon request.

How high are the penalties for regulatory noncompliance?

In 2023, the UK Gambling Commission demonstrated that it takes violations very seriously by collecting fines totaling £214.2 million. Its single largest fine amounted to £19.2 million, imposed on the William Hill Group (WH International Ltd.), for anti-money laundering and social responsibility violations.

Noncompliance with the GDPR can result in devastating penalties that are potentially lethal to an online gambling business: Up to €20 million, or 4% of global annual turnover – the higher of the two.

Gambling regulators in general have adopted a strict approach and are increasing their fines in an attempt to deter violators.

What are some of the methods of attack used by cybercriminals targeting the gambling industry?

According to a study into the cyber security practices within the local gambling and lottery sector commissioned by the UK’s National Cyber Security Centre (NCSC), the most common methods of attack are:

• Credential stuffing – with the perpetrators deceitfully obtaining valid combinations such as the username and password from a compromised site, with the intent to obtain access to other sites, most often for financial gain. Although it is a common type of cyber attack in the gambling industry, stakeholders generally perceive its impact as mostly damage to reputation.
• Distributed Denial of Service (DDoS) – which overwhelms the system with traffic in order to make it inaccessible to users. This can cause reputational damage and loss of user confidence, as well as potential loss of revenue, as users are likely to switch to alternative gambling platforms.
• Phishing – with users tricked into clicking a link that downloads malware or being redirected to a website of the attacker’s choosing. Stakeholders generally felt that they could control this threat.
• Ransomware – with the targeted individual or organization being faced with a demand for payment in return for regaining access. Stakeholders perceived ransomware attacks as potentially the most severe in terms of their impact, although not as frequently used by cyber criminals in the gambling industry as in other industries.

ACID’s solution can significantly improve the cybersecurity profile of gambling platform operators.

ACID deploys clusters of robots, implements sophisticated algorithms, injects avatars and uses crawlers imitating regular user activity in order to detect signs of impending attacks even while still in their planning stage, attacks that are in progress, and leaked data indicating that the organization’s systems have been breached. Client-specific keywords are used, and relevant language/s chosen for optimal monitoring results. Once a threat is detected on the dark web, deep web or on any of the other of the multiple sources monitored, ACID sends real-time alerts to the victim, enabling it to implement countermeasures to diminish the impact of the attack, or perhaps foil it altogether.