Biometric Information Exposed in Slot Machine Operator Data Breach

The owner of a popular slot machine chain has suffered an extensive data breach in which biometric data has been exposed.

As ZDNet reports, the chain, Dotty’s, has 200 locations across Illinois, Montana, Nevada, and Oregon, and operates an additional assortment of hotels and bars, as well as La Villita Casino. Officially operating under the name Nevada Restaurant Services (NRS), it’s a large organization, with a workforce of about 600 employees.

Now, NRS has revealed that a discovery of malware on its IT systems in January led to the realization that it had been the target of a cyberattack and data breach. The company has not disclosed the full extent of the data breach, but indicated in a statement that various kinds of customer personal identity information (PII) were exposed, including Social Insurance Numbers, state ID and driver’s license data, financial data, health insurance data, credit card information, and biometric data.

The incident offers another example of the perils of storing sensitive customer information, including biometric data, in improperly managed centralized databases, and of the escalating problem of data breaches more broadly, with even the Department of Homeland Security having seen biometric information exposed in a high-profile data breach incident in 2019.

“What business does a slot machine chain named Dotty’s have managing biometrics and PII? This incident is precisely why companies like Nevada Restaurant Services should never be storing or managing customers’ biometric data,” Acuity Market Intelligence principal Maxine Most told FindBiometrics. “It further underlines the serious need for third party Biometric Identity-as-a-Services providers.”

Most participated in the FindBiometrics Enterprise Biometrics Summit last week, wherein she and other industry experts like FaceTec’s Jay Meier, NIST’s Naomi Lefkovitz, and IDEMIA’s Tarvinder Sembhi spoke on the best practices for biometrics, privacy, and identity data management. As the event demonstrated, a growing contingent of experts is emerging within the biometrics and identity industry who assert incidents like the Dotty’s breach can be avoided by interfacing with secured systems of record, like the DMV, rather than entrusting large honeypots of PII and biometric data for companies to manage themselves.

NRS has not disclosed what type of biometric data has been exposed, nor what biometric technology is used within its facilities. But it may be worth noting that a growing number of casino operators have turned to facial recognition to identify banned individuals and to help curb gambling addiction.

In any case, NRS says that it is working to mail out notices to individuals known to be affected by the data breach, and that it “has worked to add further technical safeguards to its environment,” according to a statement from the company.