Caesars Entertainment Ransomware: Casino Giant Pays $15 Million Ransom

Caesars Entertainment disclosed a major cyberattack by the same Scattered Spider group that hit MGM Resorts, but chose to pay approximately $15 million in ransom to prevent the public release of stolen customer data. The breach compromised the Caesars Rewards loyalty program database, exposing names, Social Security numbers, driver's license numbers, and other personal information for a significant number of members. Unlike MGM which refused to pay and suffered extended operational disruption, Caesars negotiated the ransom payment and maintained operations with minimal visible disruption. The contrasting responses created debate about the ethics and efficacy of ransomware payments. The FBI has consistently advised against paying ransoms, arguing payments fund criminal operations and do not guarantee data deletion. Caesars' decision to pay highlighted the difficult calculus organizations face: pay criminals to potentially limit damage or refuse and risk extended disruption and data exposure.

The ramifications of this incident extend beyond the immediate data exposure. Privacy regulators in multiple jurisdictions have opened investigations, and affected individuals are organizing collective action to demand accountability and meaningful remediation. The case highlights systemic weaknesses in how organizations handle personal data and the gap between corporate privacy promises and operational reality.

For impacted individuals, immediate action is critical. Filing a data subject access request forces the company to disclose exactly what data they hold about you, providing the foundation for deletion requests, regulatory complaints, and potential legal action. Below, we outline the specific data types at risk and the concrete steps you can take to protect yourself.