Gambling Industry Cybersecurity
ACID Technologies helps gambling operators protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted operators to implement effective preventive measures
ACID Technologies provides the gambling industry with 24/7/365 dark web monitoring services, while also monitoring the deep web and multiple additional sources and platforms. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the intended victim to effectively respond to the threat and mitigate its harmful impact on its operation, whether service disruption, ransom demand, data theft or other.
Cybersecurity for gambling operators is a growing need
The global online gambling and betting market and share revenue was valued at approximately US$ 58.2 billion in 2021, and is expected to reach about US$ 145.6 billion by 2030, at a CGR of 12% between 2022 and 2030, according to a market study published by Custom Market Insights.
By geographic distribution:
- The United States’ online gambling market value in 2020 was US$ 2,178.29 million, and is projected to reach a CAGR of 17.34% in 2022-2027 (Mordor Intelligence).
- The European online gambling market size in 2021 was US$ 34.6 billion and is expected to reach US$ 56.8 Billion by 2027, at a CAGR of 7.9% in 2022-2027 (IMARC Group).
- The Asia Pacific online gambling market size was US$ 19.5 billion in 2022, and is expected to reach US$ 37.5 billion by 2028, at a CAGR of 11.39% during 2023-2028 (IMARC Group).
This huge market continues to grow at a fast pace. The digitization of services and the rising use of smartphones not only increase online gambling cyberthreats but often also make them more challenging to deal with. This market is an attractive target for cybercriminals looking for financial gain or aiming to steal personally identifiable information (PII).
Online casinos offering easy numerous gambling possibilities are thriving, particularly as they are accessible to users globally.
Consequently, effective cybersecurity for gambling platforms are essential for reliable, protected and smooth operation.
The global online and betting market and share revenue was $58.2M in 2021
(market study published by Custom Market Insights)
The projected CAGR of the US gambling market is projected to reach 17.34% in 2022-27
(Mordor Intelligence)
The need for cybersecurity for online casinos is also explained by operators’ preferences
Online casinos and gambling sites face increasing threats because they are attractive, potentially highly lucrative targets for cyberattacks, as described above.
However, some gambling site operators prefer commercial considerations over cybersecurity, despite being aware of the importance of security measures to support the use of their platforms and protect themselves from potential financial losses and harm to reputation.
This only underscores the importance of effective cybersecurity for the online casino and gambling industry.
Cyberthreats that effective cybersecurity for gambling operators must address
The main cyberthreats that target online gambling sites include:
- Credential stuffing – in which hackers fraudulently gain access to valid username and password combinations from one compromised site and use them to access other sites. Credential stuffing is a common type of cyberattack targeting gambling operators.
- DDoS attacks – which extremely slow down communication or cause servers to crash.
- Phishing – a common type of attack, which can target both players (with a possible offer of a bonus, for example) and employees (as when an attacker misrepresents himself as an IT manager).
- SQL attacks – perpetrated in order to add, delete, modify or steal data.
- Third party and supply chain management – many online gambling operators rely heavily on numerous third parties, which increases the risks they face. The main concerns in this regard are user data confidentiality and potential cyberattacks on their own organization due to the compromise of a third-party product or service. The risk is amplified when organizations fail to vet large providers as meticulously as smaller ones.
- Ransomware – this type of threat is presently not high on the list, but is a growing threat. According to a UK National Cyber Security Centre (NCSC) report published in 2021, stakeholders identified ransomware as a key threat to the industry. They added that these attacks were becoming more sophisticated, targeted and aggressive. The stakeholders feared that ransomware attacks might develop into the most severe threat both in terms of their ability to defend themselves against a possible attack and in terms of potential impact.
The importance of cybersecurity for gambling platforms with respect to regulatory compliance
Due to the huge amount of personal information and payment credentials collected by gambling operators and online casinos, they are required to adhere to strict regulations, including:
- The PCI DSS (Payment Card Industry Data Security Standard), which applies to every business that stores, processes or transmits cardholder data.
- The EU GDPR (General Data Protection Regulation): a pan-European data protection law that requires organizations to manage data appropriately, with heavy fines and penalties imposed on those who fail to comply.
Examples of recent attacks that could have potentially been avoided with ACID’s gambling cybersecurity solution
The following examples of cyberattacks emphasize the importance of implementing effective cybersecurity measures to protect gambling operators and online casinos:
- Icebreaker cyberattacks: Since September 2022 and into 2023, a social engineering cyberattack campaign has been targeting the gambling and gaming industries. According to The Hacker News, the threat actor poses as a customer while initiating a conversation with a support agent of a gaming company under the pretext of having account registration issues. The adversary then urges the individual on the other end to open a screenshot image hosted on Dropbox.
- Activision: In December 2022, the company, developer of Call of Duty, was breached. It only revealed in February 2023 that the perpetrators gained access to sensitive data on employees, as well as content schedules.
- Clubillion: A data breach in the popular gambling app with data hosted on Amazon Web Services was detected by a vpnMentor research team in March 2020, and was plugged only 17 days later. The breach originated in a technical database built on an Elasticsearch engine. The daily activities of millions of users worldwide – up to 200 million records per day (50 GB), including details of technical activity of Android and iOS users around the globe, were recorded. According to vpnMentor, “every time an individual player took any action on the app, a record was logged.” The compromised data included customers’ names, IP addresses, phone numbers, email addresses, private messages and rewards. Cybersecurity Insider summarized the potential effect of the breach: “Clubillion Data Breach could spell deep trouble to the future of the gaming app as it can lead to loss of trust among players, force EU’s data watchdog to reprimand it for breaking GDPR rules and make Google Play and Apple Store remove it from their respective platforms as it has failed to protect its user data securely.”
- MGM Resorts International hotels and casinos: In early 2020, the detection of 142 million personal details of MGM Resorts International hotels and casinos offered for sale on the dark web revealed the data breach; the hacker/s had succeeded to exploit a misconfiguration of MGM’s cloud server. The stolen data included personal information of 10.6 million guests, including celebrities (among them then Twitter CEO Jack Dorsey and Canadian musician Justin Bieber); US government officials connected to the FBI, Department of Homeland Security, Department of Justice, and Transportation Security Administration; CEOs and employees at some of the world’s largest tech companies.
- SuperCasino: In January 2020, a data breach of the popular gambling website led to the exposure of customers’ private information (names, usernames, registration dates, email addresses, phone numbers, and other data for internal use). Although the company insisted that financial data (credit card information, payment credentials) and passwords were unaffected, it urged its customers to change their login details and be watchful for possible scams.
- SBTech: In March 2020, SBTech was the victim of a ransomware attack due to which its online sports and casino betting platforms were offline for about a week. The attack also affected a large number of online betting sites powered by the company, as reported by ZDNet. To cover damage incurred by customers, the company placed US$ 30 million in escrow.
The benefits of ACID’s cybersecurity for gaming operators
Gambling site operators failing to protect themselves adequately from cybercrimes place themselves at risk of great financial loss – both directly, and as a result of fines due to non-compliance with regulations and standards. They are also at risk of great harm to their reputation.
ACID offers an exceptionally cost-effective solution for online gambling operators and online casinos: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first signs of an attack in the clear, deep and dark web and in multiple other sources, as early as in its initial planning phase. Once such signs are detected, ACID alerts the targeted company in real time, providing all the available information – including screenshots of threats detected on the dark web and deep web, which clients may be reluctant to access themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available.
While ACID scans numerous, diverse sources 24/7/365, upon a specific request from clients, it can include additional sources that they are particularly interested in and scan those as well.
Additionally, ACID conducts widespread monitoring activities to detect any hacked accounts that may be offered for sale, indicating that a company has already been breached, to enable it to take appropriate action.
ACID’s state-of-the-art solution provides real-time alerts to cyberattacks waged against gambling sites and online casinos, even as early as in their planning stage. The initial information provided and the subsequent updates enable the targeted companies to implement effective countermeasures to mitigate the effects of an attack or foil it altogether, and support them in maintaining their business continuity.
What makes the online gambling industry attractive to cyber attackers?
The online gambling industry is continuing its year by year upward trend. The number of gamblers worldwide is estimated at about 1.6 billion; approximately 10% of these are online gamblers. By 2029, their number is expected to be more than 290 million (Statista). Increased digitization, and the use of mobile phones, apps and e-wallets has contributed to the ease of gambling online and helped fuel the growth of this industry.
The revenue in the online gambling market is projected to amount to $97.15 billion in 2024, and continue growing annually, reaching $132.9 billion in 2029 (Statista). Grand View Research expects the global online gambling market to grow at a compound annual growth rate (CAGR) of 11.7% from 2023 to 2030, from $66.53 billion in 2022.
The growing number of online gamblers and the increasing revenue of this industry do not escape the attention of cyber attackers looking to steal personally identifiable information (PII) and make an easy profit.
Free gambling apps are particularly vulnerable. A case in point is the cyber attack waged on the Clubillion Gambling app, which offers gamblers more than 30 slots for free. Its users are spread around the world, in the USA, Canada, Australia, India, Indonesia, Brazil, Germany, Poland, Italy, Spain, the Netherlands, Russia and more.
Housed on a misconfigured Elasticsearch engine, the unprotected database recorded up to 200 million records per day (50GB), including details of technical activity of both Android and iOS users around the globe, as reported by Bitdefender, citing a vpnMentor report.
The investigation covered in this report revealed that sensitive data was leaked because of a technical glitch throwing details like names, winning track, IP addresses, private messages in account, phone numbers and email IDs open to be accessed by hackers. The report further stated that “every time an individual player took any action on the app, a record was logged.
” The researchers warned that “if cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device.” The leaked information could also be used by cybercriminals to perpetrate phishing attacks, which poses additional risks.
What are the main risks faced by the online gaming industry?
The main risks include:
- Financial risks associated with fraud, resulting from account takeovers, scams and abuse of bonuses.
- Data breaches, perpetrated with the intention to steal PII, financial information and other sensitive user data, which online gambling operators possess in immense quantities.
- Service disruption, causing loss of users’ trust in the online gambling platform and their preferring a competitor’s platform. Loss of user confidence translates directly into more lost revenue – in addition to the loss of revenue resulting from system downtime. Such disruption can be caused through the launch of Distributed Denial of Service (DDoS) attacks.
- Regulatory noncompliance, covering data protection, but not only, is a major risk factor. Online gaming platform operators are legally obligated to comply with the requirements of both local and international regulators. The implications of failure to comply, when such immense amounts of personal and other sensitive data are involved, can be formidable. The requirements include, but are not limited to, the European General Data Protection Regulation (GDPR), which governs the collection, storage and processing of data, and is considered by many as setting a global standard. The UK Gambling Commission, as another example, has set regulations that apply to UK operators. In the USA, the situation is far more complicated, as the different states exercise their authority to set requirements of their own.
- Supply chain attacks, through third-party vendors of the gambling platform operators. These can be a weak link if they fail to implement adequate cybersecurity safeguards and regularly upgrade them as needed.
What are some of the main GDPR requirements, and the penalties for noncompliance?
In general terms, the GDPR deals with data protection, and is especially relevant to the online gambling industry in light of the vast amount of sensitive information it holds. One of its main principles is that personal data must be processed “lawfully, fairly, and transparently.” This means that online gambling platforms are obligated to collect such information only after having received the informed consent of the users, and also provide them with the option of requesting that their personal data, which had been collected by the platform operator, be deleted upon request.
How high are the penalties for regulatory noncompliance?
In 2023, the UK Gambling Commission demonstrated that it takes violations very seriously by collecting fines totaling £214.2 million. Its single largest fine amounted to £19.2 million, imposed on the William Hill Group (WH International Ltd.), for anti-money laundering and social responsibility violations.
Noncompliance with the GDPR can result in devastating penalties that are potentially lethal to an online gambling business: Up to €20 million, or 4% of global annual turnover – the higher of the two.
Gambling regulators in general have adopted a strict approach and are increasing their fines in an attempt to deter violators.
What are some of the methods of attack used by cybercriminals targeting the gambling industry?
According to a study into the cyber security practices within the local gambling and lottery sector commissioned by the UK’s National Cyber Security Centre (NCSC), the most common methods of attack are:
- Credential stuffing – with the perpetrators deceitfully obtaining valid combinations such as the username and password from a compromised site, with the intent to obtain access to other sites, most often for financial gain. Although it is a common type of cyber attack in the gambling industry, stakeholders generally perceive its impact as mostly damage to reputation.
- Distributed Denial of Service (DDoS) – which overwhelms the system with traffic in order to make it inaccessible to users. This can cause reputational damage and loss of user confidence, as well as potential loss of revenue, as users are likely to switch to alternative gambling platforms.
- Phishing – with users tricked into clicking a link that downloads malware or being redirected to a website of the attacker’s choosing. Stakeholders generally felt that they could control this threat.
- Ransomware – with the targeted individual or organization being faced with a demand for payment in return for regaining access. Stakeholders perceived ransomware attacks as potentially the most severe in terms of their impact, although not as frequently used by cyber criminals in the gambling industry as in other industries.
ACID’s solution can significantly improve the cybersecurity profile of gambling platform operators.
ACID deploys clusters of robots and implements sophisticated algorithms to perform continuous dark web monitoring in order to detect signs of impending attacks even while still in their planning stage, attacks that are in progress, and leaked data indicating that the organization’s systems have been breached. Client-specific keywords are used, and relevant language/s chosen for optimal monitoring results. Once a threat is detected on the dark web, deep web or on any of the other of the multiple sources monitored, ACID sends real-time alerts to the victim, enabling it to implement countermeasures to diminish the impact of the attack, or perhaps foil it altogether.