Protecting Guest Information

What should you do about vulnerable player and other databases?

As more and more of our information is digitized and stored on electronic mediums, the potential for manipulation or theft of this sensitive information increases dramatically. In fact, such information is frequently targeted by those who wish to profit by using it for their personal gain, or even to damage another’s reputation or to hurt a business they don’t like. While all businesses are vulnerable to an attack on the information they manage, gaming resorts may be especially exposed.

Almost all gaming properties now store vast amounts of guest information. Names, addresses, dates of birth, and yes, even social security numbers. Of course, we have to do so for our own operation and as required by the federal government. At this level, we are already responsible for handling each guest’s information in a secure manner. The loss of these “personal identifiers” would immediately expose an individual to grave consequences, and to the business that lost their information, potential liability.

Of course, in gaming, a lot of the information that we collect is to provide value to our guests. To develop and encourage our guests to return we have reward clubs, hosts, and any number of other incentives, promotions and giveaways. To do so, we must not only gather and store a player’s personal information; we must also track their play. This allows us to identify our good players and incentivize their return and increase their play. Rewarding a player requires an account that now contains sensitive information, but it now also contains value, such as redeemable points, free play, comps and prizes, that can be and is taken by others.

All of this information is critical to us as a gaming property. However, it also provides a central data location where people, including team members, can find a treasure trove of information and value. Think about how many team members have the ability to look at or edit this type of information at this very moment. Probably more than you think. Unfortunately, it is likely that your property will suffer from, at the very least, an attempt to gain access to your databases, and that is never a good thing.

Over the course of my experience at a number of different gaming properties, both Tribal and commercial, it is rare that a property has not suffered a theft or fraud at their rewards center. In almost every case, a trusted team member was involved. In large cases, the team member worked together with their co-conspirators (usually friends and family) to take thousands of dollars from guest accounts. In these cases, the guest lost their money or value; however, the property normally replaces what was taken, and thus often loses double the original amount!

I think it’s safe to say that our player and other databases are vulnerable, and we can do a lot more to protect them. In fact, we must do so. It’s only a matter of time until a loss of sensitive data and information occurs at a gaming property again.

What can we do?

  • Realize that a data or value loss can occur at your property.
  • Review that your controls, policies and procedures for the handling and safekeeping of data and value are current and in place.
  • Assign a department or individual to monitor operations that handle data and value.
  • Review exceptions, suspicious activity or transactions, and large redemptions, transfers, etc.
  • Review each team member’s access to sensitive information and value, and determine if that access is necessary.
  • Encourage the surveillance department to routinely audit the rewards center for suspicious or unusual activity.
  • Train your team to recognize red flags that may indicate theft of information or value.

Finally, plan to attend our session, “Why Securing Your Player Data from Theft is a Critical Financial Issue,” at Raving NEXT, beginning January 25, 2021. To find out more about this session or how to access the recording, visit

Jennifer Boss 19 Articles