Winstar Casino App Reveals Gamblers’ Personal Data

Author: Sean Chaffin | Fact checker: Tommi Valtonen · Updated: · Ad Disclosure
Ad Disclosure
BonusFinder is an independent online casino comparison website with affiliate links. This means that we may receive compensation if you take up an offer on our list. Our team is dedicated to finding the best bonuses and casinos for you to play safely, and we review every bonus before adding them to our website.

Casinos have joined the ranks of companies reaching out to gamblers via mobile apps in recent years. Many of these offer players the ability to book rooms, schedule restaurant reservations, check reward point balances and comps, and even play online casino games.

One casino app, however, recently exposed customers’ personal information via a security flaw, according to reports. WinStar casino, the Oklahoma property which bills itself as “the world’s largest casino,” has exposed some personal player information after partnering with Nevada software startup Dexiga to develop the app.

“The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser,” TechCrunch reports.

No Password Needed for Database

After learning of the issue from TechCrunch, the site reports that Dexiga took the database down. Security researcher Anurag Sen initially discovered the security risk and alerted the website. Sen, who is based in India, has been known for finding other security breaches in the past and has even revealed security risks in the U.S. military.

With WinStar, Sen didn’t immediately know what company the database belonged to. He discovered that the names, phone numbers, email addresses, and home addresses of users were available online and reached out to the website in an effort to discover what company or app might be responsible for the customers’ exposure.

“TechCrunch examined some of the exposed data and verified Sen’s findings,” the site noted. “The database also contained an individual’s gender and the IP address of the user’s device.

“None of the data was encrypted, though some sensitive data — such as a person’s date of birth — was redacted and replaced with asterisks. A review of the exposed data by TechCrunch found an internal user account and password associated with Dexiga founder Rajini Jayaseelan.”

That led to believing that the MyWInStar app might be responsible for the exposed database. Researchers with the site later downloaded the app and signed up using a phone number. That same number then appeared on the database, confirming that the security lapse was coming from the casino app.

TechCrunch then contacted Dexiga to relay what had been discovered. The database was later taken down and secured, according to the site. Dexiga noted that the database contained “publicly available information” and that more sensitive information wasn’t revealed. The company noted that the error came from a “log migration” that was conducted in January.

“Jayaseelan would not say if Dexiga has the technical means, such as access logs, to determine if anyone else accessed the database while it was exposed to the internet,” TechCrunch notes. “Jayaseelan also would not say if Dexiga has notified WinStar of the security lapse, or if Dexiga would inform affected customers that their information was exposed. It is not immediately known how many individuals had personal data exposed by the data spill.”

A Growing Problem

The gaming industry has seen some major cybersecurity issues over the last year and these types of breaches have become a concern for the industry.

In April, several Gateway casinos in Canada were shut down for weeks after the company sustained major cyber attacks that left staff locked out of critical computer systems. The issues cost the company millions of dollars before getting systems back online and bringing employees back to work.

In the U.S., MGM Resorts experienced major service disruptions in September after a similar attack. The security breach affected all major computer systems including some slot machines, the company’s websites, email accounts, and more.

Staff members were left making reservations without the use of computers and even paying out slot winners in cash by hand. The issue took weeks to resolve and proved costly for the company, with a major negative impact on the company’s third quarter finances.

“Specifically, the company estimates a negative impact from the cyber security issue in September of approximately $100 million to the Las Vegas Strip Resorts and regional operations, collectively,” MGM noted in filings with the Securities and Exchange Commission.

The company has also suffered $10 million in expenses for technology consulting services, legal fees, and expenses of other third-party advisors used to resolve the issues. Caesars Entertainment was also the victim of a similar ransomware attack but chose to pay a ransom, according to reports.

That’s part of the reason businesses are seeing more attacks. Many can’t afford to see their operations affected and find it easier to pay the ransom, according to the Tulane University School of Professional Advancement. Seeing more company systems automated makes targeting companies even easier and a growing “business” in itself.

According to the latest IBM Cost of Data Breach Report, the average breach costs companies about $4.5 million and 51% of organizations are planning to up security spending after experiencing some sort of security issues or breach.

author
Author
iGaming Expert

Sean Chaffin is a longtime freelance writer, editor, and former high school journalism teacher. He's written on numerous poker and igaming publications and has more than 8,000 followers on Twitter under the handle @PokerTraditions.

Author of Raising the Stakes: True Tales of Gambling, Wagering and Poker Faces, Sean is a respected figure in the writing industry. As a testament to this, he's also received Aynesworth Award for investigative magazine journalism in 2017.