WinStar Casino App Leaked Customer Data

Spread the Word:

Developers in charge of the mobile application of the WinStar World Casino and Resort in Thackerville, Oklahoma, left the personal information of thousands of customers open to public access after a security flaw.

Reports emerged over the weekend that the customer details of thousands of MyWinStar app users have been freely available online to those who could obtain the IP address of Nevada-based developer Dexiga.

The data included full names and phone numbers, as well as home, email, and IP addresses of the account holders.

Dexiga has since blocked the exploit and the database is no longer available for public access. It is unclear how long the information was freely available.

WinStar Casino Resort, owned by the Chickasaw Nation, is the largest of all Oklahoma casinos. It is also one of the biggest casinos by total floorspace in the U.S, and, it claims, the world.

Situated near the Oklahoma-Texas state line, it consistently attracts Lone Star State gamblers, as there are currently no legal Texas casinos.

Its MyWinStar app does not offer Oklahoma online casino gaming, which is not a regulated market. The app is targeted at visitors to the main resort, dealing with casino rewards and bookings, among other features.

The Investigation

The MyWinStar app’s data breach was first discovered this week by independent cybersecurity professionals.

Initially, because it was discovered through Dexiga’s systems, it was unclear exactly which company’s customer data was involved, so researchers contacted tech media outlet Tech Crunch.

In collaboration with journalists, the rightful holders of the data, Dexiga and MyWinStar, were revealed.

During scouring of the unencrypted data, researchers were even able to find the login details of Dexiga founder Rajini Jayaseelan, before contacting both them and WinStar.

The database was swiftly taken offline.

The data seemed to suggest that the breached files had been publicly accessible since at least January 28, TechCrunch said.

Dexiga told reporters that the incident occurred because the company changed their logging system in January, but did not give any specific dates.

The Responses and Potential Fallout

Initially, Jayaseelan said that the database information was all ‘publicly available’, and that no sensitive data was exposed.

There are no suggestions financial details were leaked. However, the kind of info that was available freely will no doubt still worry customers.

“Initial investigation shows this event affected a limited number of individuals and not the entire database of My WinStar App users. It has also been determined that the information accessed involved a single file, and the app itself was not compromised,” said Jack Parkinson, WinStar World Casino and Resort president, in a statement to media over the weekend.

“We continue to work with our vendor developer to investigate what happened and what steps can be taken in the future to mitigate this issue. The safety and security of our patrons and their information is of highest priority for us, and we will notify those affected patrons as soon as we have more information.”

Oklahoma’s data privacy laws are not as stringent as those in Nevada. So, if there is to be any regulatory fallout, it will probably come Dexiga’s way first.

As one of the biggest U.S. gambling operations outside of the Nevada casinos of Las Vegas, it is also a distinct possibility that some MyWinStar customers who had their data leaked will have come from outside the U.S.

European data regulations, under the European Union’s General Data Protection Regulation act, are among the toughest in the world, and regulators aren’t afraid to chase up breaches that affect their citizens across borders.

Stay Ahead of the Game

Are you ready to take your online gambling experience to the next level? Sign up for the LetsGambleUSA newsletter and get the latest news, exclusive offers, and expert tips delivered straight to your inbox.