• About Us / Contact
  • Responsible Gambling
This site contains commercial content
SportsHandle
  • US Sports Betting
    • Arizona
    • Arkansas
    • Colorado
    • Connecticut
    • Delaware
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Mississippi
    • New Jersey
    • New Mexico
    • New York
    • Ohio
    • Oregon
    • Pennsylvania
    • Tennessee
    • Virginia
    • West Virginia
    • Wyoming
  • Pending States
    • California
    • Florida
    • Georgia
    • Missouri
    • North Carolina
  • Canada
    • Ontario
    • British Columbia
    • Alberta
  • Sportsbook Apps
    • FanDuel
    • BetMGM
    • Caesars
    • PointsBet
    • BetRivers
  • Tools
    • Sportsbook Bonuses Explained
    • Sports Betting Revenue Tracker
    • Sports Betting Podcasts
    • Partnership Tracker
    • Expected Value
    • Sports Scores And Odds Apps
    • Sports Betting Twitter
  • News
No Result
View All Result
SportsHandle
  • US Sports Betting
    • Arizona
    • Arkansas
    • Colorado
    • Connecticut
    • Delaware
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Mississippi
    • New Jersey
    • New Mexico
    • New York
    • Ohio
    • Oregon
    • Pennsylvania
    • Tennessee
    • Virginia
    • West Virginia
    • Wyoming
  • Pending States
    • California
    • Florida
    • Georgia
    • Missouri
    • North Carolina
  • Canada
    • Ontario
    • British Columbia
    • Alberta
  • Sportsbook Apps
    • FanDuel
    • BetMGM
    • Caesars
    • PointsBet
    • BetRivers
  • Tools
    • Sportsbook Bonuses Explained
    • Sports Betting Revenue Tracker
    • Sports Betting Podcasts
    • Partnership Tracker
    • Expected Value
    • Sports Scores And Odds Apps
    • Sports Betting Twitter
  • News
No Result
View All Result
SportsHandle
No Result
View All Result

Sports Betting Regulators Seek Proactive Response To Cyber Hacks At DraftKings

State legislators and regulators are brainstorming ways to curb cyber attacks in the wake of last month's breach

Matt Rybaltowski by Matt Rybaltowski
December 15, 2022
in Features, Industry
draftkings logo mls

Matthew Emmons/USA TODAY

Share on FacebookShare on Twitter

Over the course of his 12-year professional career, Josh Chin has broken into banks and high-stakes lotteries, infiltrating sophisticated networks that appear reasonably secure to the common employee.

“I’ve walked away a billionaire several times over. Sadly, I had to give the money back,” Chin told an assembled crowd of gaming experts last week in Las Vegas, drawing laughter from the audience.

Chin is not a cybercriminal, but rather an “ethical hacker,” a cybersecurity consultant hired by Fortune 500 companies and mom-and-pop shops alike to uncover vulnerabilities in cyber networks. Chin, managing partner of Net Force, a member of the Cyber Task Force Security, appeared on a digital fraud panel at the National Council Of Legislators From Gaming States (NCLGS) 2022 Winter Meeting at Resorts World Las Vegas. When conducting a large-scale assessment, a cyber practitioner such as Net Force will break down a system and then offer recommendations for an operator to methodically build it back up.

The panel convened in the wake of a cyber breach that reportedly has impacted more than 1,000 customers at DraftKings, resulting in six-figure losses from customer accounts. The sheer breadth of unauthorized intrusions reported on social media has led industry experts to wonder if the figure is exponentially higher. Last month, DraftKings confirmed that scores of bettors had aspects of their customer accounts compromised by irregular activity during Week 12 action in the NFL regular season.

DraftKings says no evidence systems were breached following report of a hack https://t.co/WPiAlC36cQ

— CNBC (@CNBC) November 21, 2022

Now, top legislators and regulators are working proactively to enact safeguards that will help lower the probability that another major sportsbook will experience a major cyber disruption.

In one prominent gaming state, the Nevada Gaming Commission will consider proposed regulations next week that would require gaming operators to determine the best practices needed to mitigate the risk of a cyber attack. While several other states could adopt similar policies on cybersecurity, some question whether hackers will still be able to exploit enforcement gaps. Those gaps raise vital questions on whether the policies will only have teeth if licensing sanctions come into play.

A look at credential stuffing

It appears that DraftKings’ customers may have fallen victim to a practice known as “credential stuffing,” a hacking technique that occurs when fraudulent actors gain access to hundreds of stolen usernames and passwords in one fell swoop. Quite often, customers will use the same password for a sports betting account that they maintain for other activities, such as online banking, student loan repayments, online shopping, or even a local gym.

Once a hacking team obtains a password from a gym such as 24-Hour Fitness or another third-party site, the group uses an automated bot to test out the password on dozens of other accounts. Chin is not surprised that credential stuffing could have been the preferred form of attack in the DraftKings incident, because there are huge databases online that pair usernames and passwords, he explained. Greg Giordano, a former Nevada deputy attorney general, also expressed little surprise at the manner of the attack given that customer passwords are easily accessible on the “dark web” at a low cost.

After the hackers obtained passwords on other sites, the actors used the same log-in information to access the DraftKings accounts, the company said. The company did not find any evidence to suggest that its own systems had been breached, said Paul Liberman, DraftKings president for global technology and product, on Nov. 21.

When it comes to cyber breaches among leading sportsbooks in 2022, DraftKings is not alone. FanDuel, DraftKings’ main rival, has also seen a spike in cyber breaches of late, according to media reports. A third major online sportsbook that ranks in the top five of U.S. market share was also targeted in the recent hacking incidents, an industry source told Sports Handle at the conference.

When asked by Sports Handle about the percentage of customers who have been reimbursed for lost funds as of Wednesday, a DraftKings spokesman declined comment. DraftKings also did not provide an update on the number of customers targeted by the cyber activity or the overall amount of stolen funds among impacted customers.

pic.twitter.com/R8tD6xryZO

— DraftKings CX Team (@DK_Assist) November 21, 2022

The approach for new states

The panel also heard from Michael K. Morton, a senior policy counsel for the Nevada Gaming Control Board’s (NGCB) administrative division. Next week, the Nevada Gaming Commission could adopt changes to regulations that would require gaming operators to complete an annual cyber risk assessment. Under the rule, gaming operators must not only protect their own records and operations, but also the personal identifiable information of their “patrons, employees, and vendors.” Furthermore, an operator is required to inform the NGCB of a cyber attack no later than 72 hours after discovering the breach.

The panel was moderated by state Rep. Mike Finn of Massachusetts, a state preparing to launch online sports betting early next year. At the moment, Massachusetts does not have “notification language” similar to Nevada with guidance to operators on appropriate cyber defenses, Finn told Sports Handle. Finn and other legislators must work with state regulators to pass such rules.

Another 2023 newcomer, Ohio, is expected to be the most populous state to launch sports betting next year. One provision in the Ohio Casino Control Commission (OCCC) standards will require operators to undergo an independent audit of their security protocols and information technology systems at least once every three years. But OCCC Chair June Taylor indicated that the commission has the flexibility to shorten the window in cases that require expediency, telling Sports Handle that it could lower the amount to 18 months if necessary.

Ohio could rank second nationally in sports betting next year, expert says – Columbus Business First – The Business Journals https://t.co/dEwRkgK4W9 #SportsBetting #Betting #Gambling

— Sports News & Videos (@robinsportsnews) December 15, 2022

Outrunning the regulators

A common theme among regulators, legislators, and tech experts who spoke with Sports Handle over the three-day conference is that the technology used by sophisticated hacking groups is often so advanced that state governments are struggling to keep pace. A state regulator could pass an emergency measure to require independent audits every 18 months, but are the policies effective when cyber criminals can devise a strategy to bypass a security system in less than 18 hours?

There are other complications. In some states, the legislature meets sporadically. The Nevada legislature, for instance, only meets for a period of 120 days every two years. As a result, the legislature has given regulators wide latitude to pass emergency measures when it is not in session, Morton explained.

Others griped that some legislatures have not earmarked enough in funds to enable enforcement teams to adequately address the problem.

To that end, Colorado Division of Gaming Director Dan Hartman will consider appointing a cybersecurity assessment task force in the coming months. The task force may include a dedicated cybersecurity chief who will work collaboratively with retail and online sportsbooks to assist the operators in better preparing for a potential intrusion. In the cryptocurrency space, Colorado has given consideration to appointing an official in a similar role, dubbed the “crypto czar.”

Seven-figure losses

A host of state legislators were quick to point out that other major industries have fallen victim to massive cyber breaches.

NCLGS President Jon Ford hails from Indiana, where the Indianapolis Housing Agency dealt with a series of massive ransomware attacks over the fall. Washington state Rep. Shelley Kloba described a security incident at the height of the pandemic that affected the personal information of 1.6 million individuals who filed unemployment claims with the state. Kloba noted that the DraftKings incident could serve as a “wake-up call” for the industry.

For companies that brush off the threat of an attack, there could be a high price to pay. After Iran breached the cyber network of Las Vegas Sands in 2014, it cost the company $40 million to rebuild its network, Morton noted.

DraftKings Users #Hacked, Money In Account Cashed Out https://t.co/Me7vV6knsL #Sec_Cyber

— CyberGuardNews (@CyberGuardNews) November 24, 2022

Another industry expert, SharpRank CEO Chris Adams, indicated that the best-case scenario for now is proactively setting guardrails, along with checks and balances, so that the occurrences of cyber attacks diminish.

“The only thing that needs to happen right now is setting a speed limit,” Adams told Sports Handle. “There is absolutely no need to put a governor on the industry’s growth engines, it’s more about setting the speed limit so that there are tangible solutions for bad actors who jeopardize this industry’s stability, growth, and ability to innovate.”

Ford, meanwhile, lauded his fellow legislators for making consumer protections a key priority of the conference. Regulations provide reasonable safeguards, but statutory mandates show that a state means business. Moreover, licensing matters are a serious undertaking, where a state often has a high bar to prove culpability — a task that is challenging given the prevalence of cyber attacks in nearly every online industry.

“We’re going to have high standards to ensure that consumers’ privacy will be protected,” Ford told Sports Handle. “If places don’t do it, they could lose their license.”

This story is the first part in a three-part series on the broad industry response to the cyber breach that impacted more than 65,000 DraftKings accounts. Next up: Part II — The technological solutions at the fingertips of stakeholders to respond effectively to cyber attacks.

ShareTweetShare
Matt Rybaltowski

Matt Rybaltowski

Matt is a veteran writer with a specific focus on the emerging sports gambling market. During Matt's two decade career in journalism, he has written for the New York Times, Forbes, The Guardian, Reuters and CBSSports.com among others. In his spare time, Matt is an avid reader, a weekend tennis player and a frequent embarrassment to the sport of running. Contact Matt at matt@usbets.com.

Related Posts

dorian-finney-smith-shooting-layup
Industry

NBA Tells Operators To Stop Saying ‘Risk-Free Bet’ In Advertising

February 3, 2023
New York chases $2 billion handle
Analysis

New York Moves Closer To First $2 Billion Monthly Sports Wagering Handle

February 3, 2023
Load More

Top Stories

fanduel-retail-sportsbook-front

Requiem For The So-Called ‘Risk-Free Bet’

February 2, 2023
garnett mgm springfield

Sports Betting Launches In Massachusetts, Giving Three Retail Books A Head Start

January 31, 2023
fanatics-grand-opening

Fanatics Sportsbook At FedEx Field Offers Unique Retail Option In Maryland

January 23, 2023
Shutterstock

Missouri Legislators Lament Exodus Of Bettors To Neighboring States

January 27, 2023

State Sports Betting Guides

Ohio (U.S. state) flag waving against clear blue sky, close up, isolated with clipping path mask alpha channel transparency, perfect for film, news, composition

Ohio Sports Betting – Where To Play, Bonus Offers And Promo Codes

by Brian Pempus
February 2, 2023

Downtown Detroit at twilight (Shutterstock)

Michigan Sports Betting – Where To Play, Online Sportsbooks, And FAQ

by Brett Smiley
February 3, 2023

VA captial

Virginia Sports Betting – Where To Play, Online Sportsbooks And Bonus Offers

by Brett Smiley
January 17, 2023

nj flag

New Jersey Sports Betting — Where To Play, Online Sportsbooks, And FAQ

by Brett Smiley
October 20, 2022

pa online sportsbooks

Pennsylvania Sports Betting – Where To Play, Online Sportsbooks And Bonuses

by Brett Smiley
October 6, 2022

Canada Sports Betting Guides

Canada Sports Betting – Best Sportsbook Apps & Bonus Offers

British Columbia Sports Betting – Legal Update, Available Sportsbooks, and FAQ

Ontario Sports Betting – Legal Status And Where To Play

gambling therapy
ncpg
igaming ontario
If you or someone you know has a gambling problem, crisis counseling and referral services can be accessed by calling 1-800-GAMBLER (1-800-426-2537) (IL). Gambling problem? Call 1-800-GAMBLER (MI/NJ/OH/PA/WV), 1-800-9-WITH-IT (IN), 1-800-522-4700 (CO), 1-800-BETS OFF (IA), 1-888-532-3500 (VA) or call/text TN REDLINE 1-800-889-9789 (TN).
19+. Please play responsibly. Terms and conditions apply. 
Individuals must be 19 years of age or older to participate in igaming in Ontario. Gambling can be addictive, please play responsibly. If you, or someone you know, has a gambling problem in Ontario and wants help, please visit ConnexOntario or call their helpline at 1-866-531-2600. Operators on this website operate pursuant to an Operating Agreement with iGaming Ontario.

Search Sports Handle

No Result
View All Result
  • About Us / Contact
  • Responsible Gambling

No Result
View All Result
  • US Sports Betting
    • Arizona
    • Arkansas
    • Colorado
    • Connecticut
    • Delaware
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Mississippi
    • New Jersey
    • New Mexico
    • New York
    • Ohio
    • Oregon
    • Pennsylvania
    • Tennessee
    • Virginia
    • West Virginia
    • Wyoming
  • Pending States
    • California
    • Florida
    • Georgia
    • Missouri
    • North Carolina
  • Canada
    • Ontario
    • British Columbia
    • Alberta
  • Sportsbook Apps
    • FanDuel
    • BetMGM
    • Caesars
    • PointsBet
    • BetRivers
  • Tools
    • Sportsbook Bonuses Explained
    • Sports Betting Revenue Tracker
    • Sports Betting Podcasts
    • Partnership Tracker
    • Expected Value
    • Sports Scores And Odds Apps
    • Sports Betting Twitter
  • News

loading

Please wait while you are redirected to the right page...

Please share your location to continue.

Check our help guide for more info.

share your location