MGM Resorts has announced that it will be shutting down 12 of its hotels and casinos in and around Las Vegas. The reason—a ransomware attack of unknown magnitude on servers containing a goldmine of customer data. MGM reports that it managed to detect the breach at a fairly early stage and notify the authorities and law enforcement, but the damage incurred is yet to be evaluated.
The first line of defense in such a situation would be to disable the compromised channels to prevent any further damage. MGM, rightly, turned off its systems and will continue to do so for the near future, until advised otherwise by the proper authorities. The company has announced that it has initiated a timely investigation with third-party cybersecurity agencies, but to what extent will that be of help?
All in on impact assessment
The MGM group of hotels and casinos includes some of the most iconic properties in Las Vegas. The Bellagio, known for its eye-catching fountain display, and The Mandalay Bay, one of Vegas’ most iconic casinos, are among the 12 affected MGM properties. Around 46% of MGM’s global revenue is made from its Las Vegas segment. That amounts to about 8 million dollars in revenue per day.
Cybersecurity and casino industry experts alike have suggested that MGM could drum up millions of dollars in losses per day. Its slot machines alone are responsible for several millions in daily revenue. Imagine you’re a vacationer or tourist who’s saved big and arrived here to get the full “Vegas experience,” only to enter a semi or non-functioning hotel with the additional benefit of having your personal data compromised. This is not the kind of impression that a hotel would want to make on today’s holiday-makers whose thumbs are only a few inches away from leaving a bad review. This is in addition to the cost of having to pay the ransom to the attacker, which could easily get up to 10 million dollars and above.
After paying this ransom, one cannot say for certain if the data will be decrypted or if the attacker will go all in and demand a bigger sum. On the off chance that the hotel decides to renounce the hostage data and not pay the ransom, the network infrastructure would be rendered null and void and, again, a few million dollars of restoration would be on the cards. But the worst loss of all is the breach of customer data, which negatively impacts trust and in turn directly impacts business.
Rolling the dice on root cause analysis
Like any good investigation, the next logical step would be to follow the breadcrumbs and narrow down a perpetrator; when it comes to ransomware attacks, the answer is most likely right on your screen. The threat actor could be an individual, a group, or even a Ransomware as a Service (RaaS) provider.
RaaS—think of SaaS but nefarious.
Ransomware service providers equip affiliates with ransomware bundles and kits, which usually consist of a customized variant of a ransomware code along with 24/7 support and other such benefits. Look no further than the dark web for exciting offers and discounts. You can even find messaging boards and forums where past users can leave reviews and rate the services they’ve used. These kits can run from anywhere between $50 to a couple thousand dollars, but the return on investment is tremendous.
MGM has reported that the FBI has been made aware of this attack and that the company is trying to find a way to negotiate with or neutralize the threat actors. Not much else has been revealed at the moment. Historically, the FBI has been involved in investigating similar breaches, like when a cyberattack on Marriott Hotels compromised over 500 million records in 2018. If the same happens with MGM, very sensitive PII such as names, emails, phone numbers, banking details, and passport details could be leaked, and this would mean severe implications for the brand.
Doubling down on damage control
Being subjected to such a severe shakedown, MGM Resorts must have a proper PR strategy, IT contingency, and most of all, a legal strategy in place in order to save face and make somewhat of a comeback. The international ramifications of data breaches are quite severe, especially in the European Union where the GDPR rules with an iron fist.
The UK Information Commisioner’s Office, in its infinite benevolence, reduced the fines on Marriott Hotels for its 2018 data breach, from a hefty $123 million to a cool $23.8 million dollars—fines that the MGM group could be looking at if charged. There is little doubt that the hotel group will pay the ransom to avoid the fines and the PR nightmares that come with an attack like this, but on the off chance that it is advised not to do so, its best bet is to lawyer up, keep the cash ready, and hire the best PR agency it can find.
But most of all, the vulnerability must be given the most importance by addressing the networks where the data is stored, the channels that the data passes through, and the employees that handle this data.
The 2018 Marriott breach most likely occurred due to an email spoofing or phishing attack on a blissfully ignorant employee. Upon engaging with these emails, the employee unknowingly allows the attacker to get their malware on the corporate system, thus giving them access to the corporate network and, finally, the data.
Data protection and privacy training is important for all employees
We come across the above sentiment so often that it’s become cliche even to say it or write about it anymore. Nothing could be further from reality—it’s true that all it takes to cause a multi-million dollar disaster is for a single employee to click the wrong button, and all it takes to prevent this is awareness and education.
Having a strong cybersecurity infrastructure is a given, especially with so many data privacy policies in place that could bankrupt you in a second, even for a small oversight. Don’t let your employees be that oversight. As much as you invest in top-of-the-line IT infrastructure, invest in employee training and awareness as well. That way we can ensure that, in the end, the house always wins.
