On Friday, February 28, 2014, the Las Vegas Sands Corp., owners and operators of The Venetian and The Palazzo in Las Vegas, among many others, announced that it had experienced a data breach that started on February 11, 2014 and which affected its company website and some of its office productivity systems. As a result of the breach, hackers obtained customers’ social security numbers and driver’s license numbers from the Sands Bethlehem in Pennsylvania. While Sands Corp. is still investigating whether customer information from other Sands Corp. properties was acquired during the breach, the company did state that “a fraction of one percent” of all visitors to the Bethlehem casino since 2009 had their information compromised. Notably, Sands Bethlehem is Pennsylvania’s most visited casino, hosting more than 8 million people per year. Thus, if the company’s statement is accurate and the breach is limited to Sands Bethlehem, approximately 40,000 customers have been affected by this breach.
In response to the breach, Sands Corp. spokesman Ron Reese stated: "We have also made a toll-free number and a website available for anyone with questions or concerns. The Sands Bethlehem Data Breach Information Line can be reached at 1-866-579-2213 and the website address is http://www.sandsinfo.com. We continue to work diligently with law enforcement officials and internal and external forensic IT experts to recover damaged data, restore lost data and determine the extent of data impacted in Las Vegas, as well as to ensure that the cyber criminals are identified and prosecuted."
The FBI and U.S. Secret Service are investigating the matter. As part of this investigation, a YouTube video was discovered during which hackers appeared to be accessing internal Sands Corp. folders, files, and databases. It also showed employee files and a diagram of internal networks.
Based upon the YouTube video demonstrating the amount and type of information that has been stolen and the conservative nature of companies when first reporting data breaches, do not be surprised if the number affected increases. Because this data breach involves social security numbers and driver’s license numbers, Sands must send a notification letter to each customer affected in accordance with the breach notification law for the state in which that affected customer resides.