A Nevada software startup, powering the world’s biggest casino, left one of its databases exposed to the internet without a password, a newly released report reveals. Currently, WinStar World Casino and Resort, a premium casino and entertainment destination in Thackerville, Oklahoma, owned by the Chickasaw Nation, takes pride as the world’s largest casino in terms of square feet.
The casino resort offers My WinStar, an application that provides features for self-service to hotel guests, while at the same time, catering as a loyalty program. Using My WinStar, visitors can access different benefits, including loyalty rewards points, promising seamless and engaging experiences.
Last week, the tech news portal, TechCrunch, uncovered details regarding an exposed database that was “spilling customers’ private information” on the internet belonging to Dexiga, the software startup powering My WinStar. The new report revealed that the exposed database was discovered by security research Anurag Sen. The “good-faith security researcher” uncovered the exposed database, finding out that it contained personal information, including emails, names, home addresses and phone numbers.
Access to the Database Was Discontinued
Sen contacted TechCrunch in an effort to help identify the exposed database. The tech news portal investigated the matter and uncovered that besides names, phone numbers and emails, there was sensitive data as well, including dates of birth. Partially this data was made confident with the use of stars, yet the information was available online without a password.
Once TechCrunch was able to identify that the data belonged to Dexiga, they contacted the software company. Shortly after, access to the database was discontinued. After it was notified about the exposed database, Dexiga explained that the information there was “publicly available,” rejecting claims about the exposure of sensitive personal information.
The company did not confirm whether it had active tools that recorded information about the users who were able to access the database. Still, while the database was available, anyone who knew Dexiga’s public IP address was able to access it via a web browser online.
On the same topic, earlier this month, a cybersecurity expert warned about the dangers of cyberattacks for casinos. Dan Lohrmann, a cybersecurity expert with extensive experience, revealed that gambling operators who fall victim to cyberattacks may be subject to further attacks unless they take proper action. Lohrmann said that even if gambling operators settle a matter by paying ransom, they are still vulnerable unless changes are implemented to their cybersecurity policies.