Breach exposes personal info in 'world's biggest casino' app

Casino owner tries to claim data was 'publicly accessible' on purpose

The WinStar Casino is a tribal casino, owned and operated by the Chickasaw Nation

Image:
The WinStar Casino is a tribal casino, owned and operated by the Chickasaw Nation

A security breach has personal data of customers using the My WinStar app, associated with Oklahoma casino resort WinStar, touted as the "world's biggest casino."

The app, developed by Nevada-based software start-up Dexiga, offers guests self-service options during their stay, access to rewards points and information on casino winnings.

According to TechCrunch, the breach was found when security researcher Anurag Sen discovered an unprotected database containing sensitive customer data online. The repository included peoples' full names, phone numbers, email addresses, home addresses, gender and device IP addresses. Some sensitive details were redacted, but nothing was encrypted.

TechCrunch verified Sen's findings, finding an internal user account and password linked to Dexiga's founder, Rajini Jayaseelan. Further investigation confirmed that the exposed database belonged to the My WinStar app, as TechCrunch's test account details appeared in the data upon sign-up.

Dexiga has now secured the exposed database, attributing the incident to a log migration in January. However, Jayaseelan downplayed the severity, claiming the information was "publicly available," despite its sensitivity.

WinStar did not say whether other parties accessed the database, or if affected customers would be informed. The extent of the breach also remains uncertain, as WinStar is yet to comment.

As investigations continue, Dexiga says its commitment is to monitoring IT systems and taking necessary actions. Meanwhile, the affected casino app users remain in the dark about the potential risks posed by the breach.

Computing says:

While US privacy laws are a convoluted mix of federal, state and local regulations, Nevada has been fairly progressive in establishing and amending its own legislation since the EU GDPR came into effect. While not as comprehensive as the GDPR, its laws do still require personal information to be encrypted, and for residents to be informed of any unauthorised breach of their information. It's also safe to assume that at least a few Europeans' data was stored in the repository, making it subject to GDPR.

Oklahoma has been less forward-thinking; its state-level privacy law, which came into effect in January this year, simply allows consumers to ask businesses what personal information they are collecting, and to request its deletion.

Although Dexiga hasn't said if malicious actors accessed the database, technically Sen's access would also count as an unauthorised breach, so both WinStar and Dexiga should be taking immediate action, rather than trying to avoid responsibility.