Some Caesars Windsor guests warned of potential info leak in hack

Judy Lemire and her husband aren't frequent customers of Caesars Windsor — making it even more of a surprise when they recently received a letter in the mail from the casino resort advising them that their personal information may have been compromised.

"To tell you the truth, I don't think I've been to the casino more than five or six times in my life," Lemire told CBC News.

As far as the Windsor couple can recall, their last visit to Caesars Windsor was before 2020.

Yet the Lemires are among an undisclosed number of past guests who have received the same letter in recent weeks.

Entitled "Notice of Data Breach," the letter refers to a cybersecurity incident that the Caesars Entertainment chain first disclosed on Sept. 14.

"The incident impacted our loyalty program database," the letter states. "Your information is contained in that database, including, among other data, your name and date of birth."

"We have no evidence that any customer passwords, PINs, bank account information, or payment card numbers were affected by the incident."

Both Windsor police and LaSalle police have publicly stated that the letters are legitimate — although neither police service is involved in the investigation.

The U.S. Federal Bureau of Investigations has said its efforts on the case are ongoing.

The FBI and the U.S. Department of Justice have not offered further comment — but members of the cybersecurity professional community have attributed the attack to a hacking group known as "Scattered Spider."

Caesars Entertainment's letter states that once "suspicious activity in our information technology network" was detected, the company activated response protocols and tried to contain the problem.

"We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee the result," the letter continues.

The letter didn't say whether Caesars paid ransom money to the hackers, though the Wall Street Journal and CNBC have reported the company paid $15 million US.

The company said it is monitoring the web for any indications the information has been "further shared, published, or otherwise misused."

Caesars Entertainment is also offering letter recipients complimentary enrolment in an identity protection service via the credit reporting company agency TransUnion Canada.

The "myTrueIdentity" service reportedly offers customers "credit and dark web monitoring" for two years.

But for Judy Lemire — who admits to not being knowledgeable about modern information technology — even use of the identity protection service fills her with misgivings.

"Nowadays, I don't trust anything," Lemire said. "The amount of information they required — I didn't really feel comfortable giving it... I'm not sure exactly what they can do."

With the current situation of Windsor Regional Hospital and other southwestern Ontario hospitals being targeted by ransom-seeking hackers, Lemire has fears about what the future holds.

"It just makes me feel like, 'What else are they gonna get?'" she wondered. "You hear of people who have lost their life savings, and things like that."

"I have a feeling, unfortunately, that it's only going to get worse. Before you know it, people are going to be paying for protection all of the time... For anything you use. Your phone. Because everything is being compromised."

Lemire said she doesn't use social media, and has become wary of providing her email address to stores. "A little too much information out there, if you ask me."