Cyber Incident Victim: Vikings Casinos
Date:
Apr 2023
Location:
France
Summary
The Vikings Casinos group was hit by a ransomware attack, forcing the immediate shutdown of its information systems to protect data. The incident was detected via the group's supervision consoles and led to the temporary closure of multiple casino locations. While no data theft was identified at that stage, forensic investigations were ongoing. A complaint was filed with authorities, and the company implemented workarounds to partially restore operations under an adapted mode of service.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 19, 2023, the information technology services of the Vikings Casinos group detected a cyberattack through its supervision consoles. The attack was identified as a ransomware-type incident. In immediate response to the discovery, the group took decisive action to protect its data by shutting down its entire information system, which included its computer network and applications. This action was a containment measure intended to isolate the threat and prevent its spread across the wider network infrastructure. A crisis cell was activated immediately by the group's services to manage and steer the resolution of the incident, demonstrating a coordinated organizational response to the emergency.
The initial impact of the system shutdown was the closure of multiple casino properties operated by the group. Vikings Casinos operates ten establishments across France, including locations in Houlgate and Bourbon-l'Archambault. These venues were forced to close their doors for several days following the attack, directly impacting their business operations and customer access. The closure period allowed the internal teams and their partners to assess the situation and begin the process of securing the affected environments without the pressure of live operations, thereby reducing the potential for further damage or data exposure.
Investigations into the full scope and impact of the attack commenced promptly. The primary focus of these initial forensic efforts was to determine if any data theft had occurred alongside the encryption of systems. The group publicly stated that, at that preliminary stage, no theft of data had been identified by the ongoing investigations. Concurrently, the group implemented proactive monitoring measures with its providers to surveil the attackers, aiming to prevent any potential data leak that might not have been initially visible to the cyber forensic analysis. This step indicated a concern that data exfiltration could have been a component of the attack, even if not immediately evident.
By Thursday, April 27, 2023, the group had progressed enough in its recovery efforts to allow for a partial reopening of its casinos. The casino in Houlgate announced on its social media that it was opening its games that day with a mode adapted to its current possibilities. Similarly, the casino in Bourbon-l'Archambault also reopened its doors, albeit with a partially restored operational capacity. The core business software required for full operation, described as métiers software, had been damaged in the attack and was not yet fully repaired at the time of reopening. This damage necessitated a contingency plan; the casino in Bourbon-l'Archambault, for instance, had to turn off some gaming machines that were completely dependent on the damaged software and could not function without it. The director of that site expressed hope that the remaining technical issues would be resolved before the upcoming weekend.
The financial and operational consequences of the incident were multifaceted. The forced closure represented a direct loss of revenue during the downtime. The damage to critical business software impaired the full restoration of services even after physical reopening, limiting the gaming offering available to customers. The group also incurred costs related to the forensic investigation, the implementation of enhanced monitoring measures, and the subsequent remediation efforts required to repair the damaged systems and return to normal operations. The full financial impact was not publicly quantified.
In accordance with legal and regulatory obligations, the group undertook several official actions following the incident. A formal complaint was filed with the relevant law enforcement authorities. Furthermore, the company performed preliminary notifications to two key French regulatory bodies: the Agence nationale de la sécurité des systèmes d'information (ANSSI), the national cybersecurity agency, and the Commission nationale de l'informatique et des libertés (CNIL), the data protection authority. These notifications are standard procedure following a significant cybersecurity incident, particularly one involving potential risks to personal data.
The remediation phase followed the initial containment and investigation. The group's management stated that cyber forensic investigations were ongoing and that the corresponding remediation measures would be implemented following their conclusions. The overarching objective stated by the direction was to ensure a return to normal operations. The commitment to implementing remediation measures indicated a longer-term effort to not only recover from the immediate effects of the attack but also to strengthen systems against future threats based on the findings of the forensic analysis. The public communications emphasized a concerted effort to manage the situation transparently while safeguarding customer data and restoring full service capacity across all of its casino locations.