RISKS

What happened

On September 11, 2023, MGM Resorts was hit by a “devastating” cyberattack nationwide, with a number of properties impacted – including in Las Vegas. Casino industry chatter site Vital Vegas said the attack was “devastating” because “MGM Resorts has about 48,000 rooms on The Strip.”

Everything from slot machines, room keys, ATMs and reservations was affected and employees were unable to access their company emails.

“MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.” MGM said in a statement issued by MGM’s executive director of communications Brian Ahern on the company’s profile page on X (formerly known as Twitter). Ahern reportedly had to use a Gmail address instead of his work email to put the statement out.

One user on Reddit said: “I work at an mgm (not in Vegas). It’s a mess. Everything is a mess. We’re unable to do anything. Everything is manual. My coworker can’t even contact HR about his leave of absence.”

A frustrated consumer said on Twitter: “We are at one of your resorts. It’s pretty widespread. We can’t check in, pay with card, use comps, receive our gifts, get tickets out of machines.”

In a quote, a local news source reported an MGM executive said it would take “days” to fix this “disaster.” As of 3pm CT on 9/11/2023, all MGM websites using the same domain name as the main one – i.e. mgmresorts.com – had been offline for hours, currently informing that customers can make hotel reservations “at any of our destinations” over the phone.

MGM Resorts Webpage Message Showing How Many Resorts Are Affected

The cyberattack, attributed to a group known as Scattered Spider, caused significant operational disruptions for MGM Resorts. Scattered Spider, also known as UNC3944, is one of the most disruptive hacking outfits in the United States, according to Google’s Mandiant Intelligence.

The attack resulted in a ten-day shutdown of MGM’s computer systems, with most computers back online by September 18. However, the full extent of the financial impact, increased labor costs, and insurance coverage for the attack are still uncertain.

According to a second update issued by MGM Resorts on October 5, 2023, MGM Resorts determined ([o]n or around September 29) that “an unauthorized third party obtained personal information of some of its customers. The affected information included name, contact information (such as phone number, email address, and postal address), gender, date of birth, and driver’s license number. For a limited number of customers, Social Security number and/or passport number was also affected. The types of impacted information varied by individual.”

The Scattered Spider hacking group had previously claimed it took six terabytes of data from the systems of MGM Resorts and also Caesars Entertainment, which was breached as well.

MGM Resorts also stated that it “took steps to protect its systems and data, including shutting down certain systems…, quickly launched an investigation with the assistance of leading cybersecurity experts and is coordinating with law enforcement.”

MGM Resorts was also named in a class action lawsuit because of the breach. The suit, filed on Friday, September 22, 2023, alleges negligence on the part of MGM for failing to maintain adequate measures to prevent unauthorized disclosure of customers’ data.

This is the second time MGM Resorts has confirmed a cybersecurity incident since 2019, when one of the company’s cloud services was breached and hackers stole more than 10.6 million customer records. A class action lawsuit filed over that breach claims the theft of personal information could be up to 200 million hotel guests.

The company confirmed that breach in 2020, after an archive with stolen data – including guests’ names, dates of birth, email addresses, phone numbers, and physical addresses, was shared freely on a hacker forum.

Why is this important?

Cyberattack impacts on an organization can severely impact or even paralyze operations, as they did in this attack on MGM Resorts. The ability to protect mission-critical systems and respond to cyber incidents quickly is key to minimizing those impacts.

The exposure of personal data for a potentially large list of customers has already led to a loss of revenue and expenses for getting the systems back up and running. The class action will also add legal expenses best case, and a financial judgment or settlement worst case.

What does this mean to me?

Continued assessment of risks and keeping your incident response plan (IRP) up to date is key in minimizing the impact of cyberattacks when they do occur. Don’t gamble that hackers aren’t continuing to find new ways to get into your systems – it’s a losing bet!


APPROACHES

Helpful Controls


Commonality of attack

High


Article on story

MGM Resorts Las Vegas hit by major cyber attack as guests locked out of rooms


HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING