A malicious hacker gained access to the employee emails of slot machine operator Golden Entertainment, with one email, which the hacker may have accessed, containing a wealth of customer personal data.

During the “email phishing incident”, the unauthorised individual accessed email accounts at various times between 30 May 2019 and 6 October 2019.

One email that the hacker had access to contained the following personal data belonging to customers, employees and vendors:

  • Social security numbers
  • Passport numbers
  • Government ID numbers
  • Driver’s license numbers
  • Medical data (health insurance numbers and treatment information)
  • Payment card details (expiration dates, card security codes, financial account numbers)
  • Dates of birth
  • Usernames and passwords

In a press release posted on its website at 22:20 ET Friday 31 January, Golden Entertainment said that it was not clear if the email containing this personal data was accessed by the hacker but was informing customers as a precaution.

The US firm provides more than 10,000 gaming devices across Nevada and Montana and owns ten casino resorts.

Golden Entertainment phishing attack risks fraud

Golden Entertainment started informing those affected on the 7 November 2019. This process was extended until 31 January this year after Golden Entertainment found “additional addresses and identified additional email accounts involved”.

After a security audit, Golden Entertainment says that it has “no evidence that any information has been misused” to date.

Phishing attacks see a cybercriminal pretend to be someone from a reputable organisation to induce victims into parting with personal data or cash.

Jake Moore, cybersecurity specialist at ESET told Verdict that those affected by the Golden Entertainment phishing attack should check they haven’t used the compromised password for other online accounts.

“Hackers create tools to re-use passwords stolen in data breaches like this which is known as ‘password stuffing’,” he said.

“It would also be wise for all users who may have been breached check they have two-factor authentication implemented as this makes password stuffing attacks much harder for cybercriminals.

“As bank details have possibly been compromised too, people need to be more aware of forthcoming phishing attacks and should enable extra fraud alerts on their accounts.”

Golden Entertainment is offering those that had their social security number or driver’s license number included in the email complimentary credit monitoring and identity protection services.

Read more: Account takeover attacks: The digital scam taking phishing’s crown