It started with a phone call.
Someone contacted the IT help desk at one of the most recognized names in Las Vegas hospitality, said they were an employee, and asked for a password reset. The help desk complied. That single interaction was the opening move in a cyberattack that would eventually cost the company more than $100 million, shut down slot machines across multiple properties, lock guests out of their rooms, and disable ATMs on the Las Vegas Strip for more than a week.
That was MGM Resorts in September 2023. Weeks earlier, under nearly identical circumstances, Caesars Entertainment had quietly paid approximately $15 million to attackers after its loyalty program database was stolen. The Wall Street Journal first reported the ransom payment, noting that attackers had posed as an employee and manipulated an outsourced IT vendor into handing over credentials. Caesars had faced a $30 million demand and negotiated the payment down by half.
Two of the largest casino operators in the world. Two successful attacks. Both started not with sophisticated malware, not with zero-day exploits, but with a phone call and a compliant help desk agent who had never been tested on exactly this scenario.
The gambling industry sits at the intersection of everything attackers want: enormous cash flows, real-time financial transactions, massive troves of personal and identity data, 24-hour operational requirements, and a culture that prioritizes speed and guest experience over friction. That combination makes casinos, sportsbooks, and gambling apps among the most attractive targets in the digital economy. And yet penetration testing, the practice of hiring skilled professionals to find and exploit your own vulnerabilities before someone else does, remains inconsistently adopted across the sector.
The house always wins. Unless the attacker got there first.
The Last Two Years Told a Story
MGM and Caesars were not isolated events. They were the opening chapter of a pattern that has continued with notable consistency.
In November 2024, International Game Technology, a global gambling technology company that manufactures slot machines, lottery systems, and sports betting infrastructure for operators across dozens of countries, disclosed a cyberattack in a filing with the U.S. Securities and Exchange Commission. An unauthorized third party had accessed internal systems and forced the company to take portions of its IT infrastructure offline. IGT had more than 11,000 employees and $1.9 billion in revenue through the first three quarters of that year. The breach disrupted operations and forced business continuity workarounds while the company assessed the damage. The nature and full financial impact were not publicly confirmed, but the pattern fit the ransomware profile that regulators had already been warning the industry about.
In October 2025, Fast Track, a Malta-based customer relationship management platform serving more than 100 online casino operators worldwide, confirmed that two of its casino clients had been compromised in what the company described as a highly sophisticated cyberattack. One of the affected operators, Shuffle Casino, confirmed the breach publicly on October 10, 2025, and notified users that a majority of its player base had been exposed. The stolen data included full names, home addresses, phone numbers, complete transaction histories, betting patterns, and KYC identity verification documents including copies of passports and driver’s licenses. What made the incident particularly notable was that Fast Track had renewed its SOC 2 Type 2 security accreditation just four months before the attack.
In 2025, Wynn Resorts disclosed a breach attributed to the hacking group ShinyHunters, which reportedly accessed employee data and allegedly over 800,000 customer records including Social Security numbers. The attackers demanded approximately $1.5 million in Bitcoin. A class-action lawsuit followed, and Wynn acknowledged in an SEC filing that its systems might remain vulnerable to future breaches.
In each of these cases, the attackers found a way in that a penetration test is specifically designed to find first.
The Misconfiguration Nobody Talks About
Ransomware and social engineering get the headlines. What gets far less attention is the quieter, more pervasive problem living inside these networks every single day: misconfiguration.
A gambling operation runs on an unusually complex technology stack. There are gaming systems and random number generators. There is surveillance infrastructure. There are payment processing platforms, loyalty program databases, hotel property management systems, restaurant point-of-sale terminals, sports betting APIs, and increasingly, mobile apps connecting all of it to players who are anywhere on the planet. These systems talk to each other constantly, and many of them were built or integrated at different times by different vendors using different security assumptions.
The result is an environment where network segmentation is often poorly enforced or simply assumed rather than tested. When the Scattered Spider group moved through MGM’s environment in 2023, investigators noted that the attackers were able to deploy ransomware to more than 100 ESXi hypervisors within the network once they had an initial foothold. That kind of lateral movement does not happen in a properly segmented environment. It happens when internal trust zones are too wide, when administrative access is over-permissioned, and when nobody has ever run a real test to see how far an attacker can travel once they are inside the front door.
Misconfigured cloud storage is a related and equally common problem. A misconfigured database at a gambling app can expose tens of millions of player activity records, including personal data, IP addresses, win and loss histories, and financial transaction logs, to anyone who knows where to look. These exposures sit quietly for months or years before they are discovered, often not by the operator at all but by a security researcher or, worse, by someone who chooses not to disclose what they found.
The FBI issued a private industry notification warning the gambling sector that ransomware groups were specifically exploiting vulnerabilities in vendor-controlled remote access systems to reach casino servers. That advisory came out after MGM and Caesars. IGT was breached over a year later through what appeared to be a similar entry vector. The warning existed. The patch did not.
A penetration test finds these things. A compliance checklist does not. This distinction matters enormously, because the gambling industry tends to treat regulatory compliance as a security strategy when the two are not the same thing at all. SOC 2 accreditation tells you that a vendor has documented controls. It does not tell you whether those controls work under real attack conditions. Fast Track had its SOC 2 certification. Its clients were still compromised four months later.
The App Layer Is a Different Problem
Online gambling apps have a unique security surface that physical casinos do not. According to industry research compiled by HALOCK Security Labs, 70 percent of all online wagers in 2024 were placed on smartphones. During Super Bowl LVIII that same year, American gamblers wagered an estimated $16 billion, much of it through mobile apps. That volume of financial transactions, moving through mobile platforms, creates an attack surface that is fundamentally different from a casino floor.
API security is where most online gambling operators are most exposed. These platforms depend heavily on APIs to connect front-end apps to payment processors, to loyalty systems, to real-time odds feeds, to identity verification services. Each of those connection points is a potential entry. Broken authentication on a single API endpoint can allow an attacker to access account balances, manipulate withdrawal requests, or harvest player data at scale. Insufficient rate limiting on login APIs enables credential stuffing attacks, where stolen username and password combinations from other breaches are systematically tried until they work. DraftKings experienced exactly this in 2022, when attackers used credential stuffing to compromise accounts and steal roughly $300,000 from players.
Game integrity is another dimension that the app layer introduces. Attackers have been observed targeting random number generator systems and attempting to manipulate game logic through API exploits. For a regulated operator, a successful manipulation of this kind is not just a financial loss. It is a licensing event. Regulators in Nevada, New Jersey, and the United Kingdom have made clear that demonstrating the integrity of gaming systems is a condition of continued operation, and that condition increasingly includes evidence of active security testing.
Mobile apps also carry risks that desktop platforms do not, including insecure local data storage, traffic interception on unsecured networks, and the distribution of counterfeit apps designed to harvest credentials from players who believe they are logging into a legitimate platform. None of these threats show up in a standard vulnerability scan. They require someone to actively probe the application the way a real attacker would.
Artificial Intelligence Is Changing the Calculus
The social engineering attack that brought down MGM in 2023 was effective because the attacker sounded convincing enough over the phone to pass a basic human check. Now imagine that same attack with AI-generated voice cloning that can reproduce a specific executive’s voice, cadence, and speech patterns from as little as a few minutes of publicly available audio. The call is no longer from someone who sounds like they might be an employee. It is from someone who sounds exactly like the CFO, asking the help desk to restore access urgently before an important board presentation.
This is not speculative. The FBI’s 2025 Internet Crime Complaint Center Annual Report documented more than 22,000 complaints referencing artificial intelligence, with associated losses exceeding $893 million. Voice cloning and deepfake-assisted social engineering have already appeared in attacks targeting financial institutions and corporate executives. The gambling industry, with its high-profile operators, publicly known leadership teams, and enormous cash flows, is a natural next target for this class of attack.
AI is also accelerating the pace and precision of phishing campaigns targeting casino employees. Where attackers once sent generic messages and hoped someone clicked, they can now generate highly personalized emails that reference real transaction details, real colleague names, real internal terminology, and real organizational structures harvested from public sources. These messages are increasingly difficult to distinguish from legitimate internal communications, especially in a high-volume operational environment where staff are processing requests quickly and at all hours.
A data point worth sitting with: Bloomberg reported that attacks on online gambling platforms rose 37 percent year over year heading into 2025. The sector is not becoming a less attractive target as awareness increases. It is becoming a more attractive one as the tools available to attackers improve faster than the defenses most operators have deployed.
Penetration testing that includes social engineering components, specifically vishing simulations, deepfake impersonation exercises, and AI-generated phishing campaigns against staff, is now a meaningful part of what the discipline covers. Testing only the technology while leaving the human layer untested is the security equivalent of locking the vault and leaving the lobby unmanned.
What Penetration Testing Actually Finds in This Industry
The value of a penetration test is not the report. It is the discovery of the thing you did not know was there.
In gambling environments specifically, skilled testers consistently surface a set of findings that standard compliance assessments miss entirely. Flat internal networks where gaming systems, hotel management platforms, and payment infrastructure share trust zones with no meaningful separation between them. Vendor remote access credentials that were provisioned for a specific project and never decommissioned. Administrative accounts with excessive privileges that have not been reviewed since the system was first installed. APIs with no rate limiting, no anomaly detection, and no logging of unusual request patterns. Wireless networks at gaming properties where segmentation between guest, staff, and operational networks is assumed but not enforced.
These findings are not hypothetical. They are documented in the post-incident analyses of every major gambling breach of the past several years. The attackers who hit MGM moved laterally because the internal network let them. The vendor exploitation that enabled both the Caesars attack and the Fast Track compromise in 2025 succeeded because third-party access was not tested or properly scoped. The SOC 2 certification Fast Track held was not a penetration test. It was a documentation review. There is a significant difference between the two, and that difference is measured in what attackers find when they probe a system that has only ever been evaluated on paper.
For online gambling apps specifically, application-layer testing regularly uncovers broken access controls that allow one player’s account data to be accessed by another authenticated user, insecure direct object references that expose transaction records by incrementing a URL parameter, and authentication bypass vulnerabilities that exist in session management logic rather than in the login form itself. These are not exotic vulnerabilities. They are among the most commonly documented findings in web application penetration tests across industries. They simply go undetected in gambling platforms because the testing has not been done.
The Regulatory Reality Is Accelerating
For operators who view penetration testing as optional, the regulatory environment is making that calculus more difficult to sustain. The Nevada Gaming Control Board, the New Jersey Division of Gaming Enforcement, and the UK Gambling Commission have all moved toward requiring or strongly incentivizing documented security testing as a condition of licensing and renewal. The SEC’s cybersecurity disclosure rules, which took effect for large public companies in 2023 and for smaller companies in 2024, require material cybersecurity incidents to be disclosed within four business days of a determination that they are material. MGM, Caesars, IGT, and Wynn all filed 8-K disclosures as a result.
Cyber insurance is tightening on the same axis. Underwriters have begun requiring evidence of regular penetration testing, documented remediation of findings, and tested incident response plans as conditions of coverage. Operators who cannot produce this documentation are finding their premiums rising, their coverage limits reduced, or their applications declined. The industry that once treated cybersecurity as an IT budget line is discovering that the market has repriced the risk.
There is a version of this conversation that is about compliance and insurance costs. That is a legitimate framing. But there is a more important version that is simply about what happens to a business when its systems go down during peak season, when its players’ passport copies appear on the dark web, or when a wire transfer is redirected by an attacker who spent three months inside the network undetected.
The Bet You Are Already Making
Every gambling operator that has not conducted a penetration test in the last twelve months has already made a bet. The bet is that nobody will find the misconfiguration in the internal network before the operator does. The bet is that the vendor remote access credentials provisioned two years ago are not being actively used by someone who should not have them. The bet is that the mobile app’s API layer will not be probed by someone with the time and motivation to look carefully.
These are not good bets. The MGM attack began with a ten-minute phone call. The Caesars breach started with a vendor who was socially engineered before anyone inside the company knew anything was wrong. IGT, one of the largest gambling technology companies in the world, lost control of internal systems it had not tested thoroughly enough to know were exposed. Fast Track had its certification in order and its clients were still breached.
Penetration testing does not eliminate risk. Nothing does. But it finds the vulnerabilities that compliance frameworks overlook, identifies the network paths that attackers will follow once they are inside, tests whether the people in your organization will recognize and resist a social engineering attempt, and gives operators something they cannot get any other way: an honest answer to the question of whether their defenses actually work.
In an industry built on calculated risk, there is something almost philosophically inconsistent about leaving this particular question unanswered.
The house always wins because the house knows the odds. It is time the house knew its vulnerabilities too.
References
- MGM Resorts International. Form 8-K filed with the U.S. Securities and Exchange Commission, October 2023. Company confirmed approximately $100 million negative impact to Adjusted Property EBITDAR for Las Vegas Strip Resorts and Regional Operations for the month of September 2023. Available via SEC EDGAR.
- Caesars Entertainment, Inc. Form 8-K filed with the U.S. Securities and Exchange Commission, September 14, 2023. Confirmed unauthorized access to its loyalty program database. The Wall Street Journal reported the company paid approximately $15 million, half of the initial $30 million ransom demand.
- International Game Technology PLC. Form 6-K filed with the U.S. Securities and Exchange Commission, November 19, 2024. Disclosed that an unauthorized third party gained access to certain internal systems on November 17, 2024, causing disruptions to portions of its internal IT systems and applications.
- Fast Track CRM breach, October 2025. Fast Track, serving over 100 iGaming operators, confirmed two casino clients were compromised. Shuffle Casino confirmed the breach publicly on October 10, 2025. Stolen data included KYC documents, transaction histories, and personal records. Fast Track had renewed its SOC 2 Type 2 accreditation in June 2025, four months prior to the breach.
- Wynn Resorts data breach, 2025. Breach attributed to the ShinyHunters hacking group, with a reported ransom demand of approximately $1.5 million in Bitcoin. Class-action lawsuit alleging exposure of over 800,000 customer records. Wynn acknowledged ongoing vulnerability risk in subsequent SEC filings.
- Federal Bureau of Investigation Internet Crime Complaint Center (IC3). 2025 Annual Report. AI-related complaints: more than 22,000, with associated losses exceeding $893 million. ic3.gov
- HALOCK Security Labs. Cybersecurity for Gambling Businesses, 2024. 70 percent of all online wagers placed on smartphones in 2024; Super Bowl LVIII wagering estimated at $16 billion, primarily via mobile apps; DraftKings 2022 credential stuffing attack resulting in $300,000 in player account theft.
- Bloomberg. Reporting on the 37 percent year-over-year rise in attacks on online gambling platforms heading into 2025.
