Cyberattack takes down Nevada Gaming Control Board website

A source close to the agency said Thursday that the attack was focused on the public-facing website for the control board and the Nevada Gaming Commission, the two agencies that oversee the state’s largest industry. The site includes agency meeting agendas, listings of gaming regulations, press releases, public statistical information, phone numbers for agency offices and public biographies of the board and gaming commission members.

Gaming license information and financial records are kept on a separate internal state agency system, sources said. No other state agencies appear to be involved in the website outage and are still operating.

Gaming Control Board Chairman Kirk Hendrick declined to comment.

In a statement posted to the agency's social media channels late Thursday afternoon, the control board said it became aware earlier this week that its website had been compromised.

“Technology personnel initiated immediate steps to protect the website by taking it offline,” the board said in the statement. “The [board] is working with experts to thoroughly assess the situation. While working to restore the full website, the [board] is preparing to publish a temporary website for those seeking access to information.”

The Nevada Gaming Commission was holding its monthly meeting in Las Vegas on Thursday morning and commissioners made no mention of the cyberattack or website being offline. The livestream of the meeting was not affected.

The control board is expected to release Nevada’s statewide gaming revenue totals for 2023 and December next week and the information would normally appear on the agency’s website.

Last September, MGM Resorts International and Caesars Entertainment — the Strip's two largest resort operators — were victims of separate cyberattacks that brought negative national attention to the casino industry, given that the companies combined operate more than 60 casinos in nearly 20 states. 

Analysts estimated that the attacks cost MGM and Caesars millions of dollars in lost revenue and damaged their reputation with customers and employees, many of whom had their data stolen in the attack. MGM said the cyberattack cost the casino operator $100 million in adjusted cash flow covering its Strip resorts, but said its cybersecurity insurance “should be sufficient to cover the financial impact of the attack on its business.”

Caesars acknowledged it was the victim of a cyberattack and took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”

The Wall Street Journal and Bloomberg News, citing anonymous sources, reported Caesars paid roughly half of a $30 million ransom that hackers demanded after the cyberattack.

Last June, Nevada lawmakers and Gov. Joe Lombardo approved SB490, which allows the control board to finish replacing its decades-old information technology system. The system is separate from the control board’s website.

The board initially thought it needed almost $3.6 million from the state to finish the project when it submitted its bill draft request last year, but Hendrick said he realized in January the agency needed roughly $10 million above its estimate to complete the migration away from computer software created in the 1980s to a modern operating system.

Lawmakers approved a late amendment that gave the control board $8 million in 2023 and set aside another $5.5 million that the agency could request through the Legislature’s Interim Finance Committee to finish the project once specific parameters are met.

“You have to get off of a 40-year-old computer system or bad things could happen,” Hendrick said during testimony last year in front of the Senate Finance Committee. “The system is used for running all the board functions. Every single division uses pieces of this system. It's way past its retirement age.”