Sands PA Waited Nearly 10 Months to Notify Some Patrons of Last Year’s Data Breach

In February of last year, hackers infiltrated the networks of Sands Bethlehem and went to work wreaking havoc. At the time, company executives downplayed the incident, citing only the company’s mail server and consumer facing website as having been damaged.

In reality, though, the perpetrators had done much more harm to the company than the Sands initially let on. Researchers later pointed the finger at Iranian hackers and estimated that the damage done could cost the company upwards of $40 million to fix.

Before they began wiping Sands’ servers clean, the attackers gained access to sensitive areas and swiped the personal information of an untold number of casino patrons. Some were warned immediately that their details had been breached and that they ran the risk of becoming victims of fraud.

Other patrons, however, have only now received letters from the casino warning them of the potential for identity theft. Poker player Ken Kasick was one of those to receive the delayed notice and doesn’t understand why Sands didn’t contact him earlier. “My question is why would it have taken that long to send out that letter?,” he told the PA press.

Fortunately, Kasick had not had any problems in the 10 months between the attack and receiving the written warning. But he asserts that the delay in getting in touch with potentially affected customers was unacceptable.

Kasick was told by Sands that they had just realized that more areas of the network had been compromised than they had once thought; that was why they were only contacting him now, they explained.

Push for stricter data breach laws

Receiving that information early on is crucial to protect against the myriad of problems which could befall someone who has had their financial information stolen. Unfortunately, laws that regulate the sharing of information from business to consumer in regards to theft of personal information are not uniform from state to state. Under Pennsylvania law, business owners are required to notify potential victims when a hack has occurred; it doesn’t say when they should be contacted, however.

Furthermore, a company may be investigated after an attack to find out whether it had put adequate consumer protections in place. US Attorney General Eric holder addressed Congress last year on the issue, urging them “to create a strong, national standard for quickly alerting consumers whose information may be compromised.”

Fortunately for the Sands, the hackers were not able to break into the servers which controlled software vital for the physical functioning of the casino; the gamblers inside that day had no idea that a potentially ruinous hack was taking place.

If the perpetrators had not left a message for Sands CEO Sheldon Adelson on the company’s website, we might not have known that anything had happened at all.