CYBER SECURITY
In September 2023, MGM dealt with another massive breach that disrupted their entire IT system and took over a week to resolve. 2 Once again, hackers were able to retrieve basic customer PII and in some cases, social security numbers and/or passport numbers. MGM stated that it did not believe customer passwords, bank account numbers, or payment card information were affected by the hack. However, with the depth of PII that was stolen, the cybercriminals have more than enough data to access password or financial information from the affected individuals. This hack was particularly problematic because all MGM properties – it operates fourteen hotels on the Las Vegas Strip and double that number, globally – were believed to have been affected to some degree with reports stating that room keys stopped working, slot machines were down and winnings paid from a fanny pack. 3 The attack was a “vishing” or social engineering attack where the hackers, armed with basic information about an employee, called that person’s work IT hotline looking for a password reset. This relatively unsophisticated approach exposed a lack of policies for user verification. Ten days after the systems went offline, MGM released a statement claiming that all properties were operating normally, however MGM employees reported they were still not able to access their work email accounts and that hotel reservations had to be made by phone or via third- party websites. An SEC filing made by MGM almost one month after the initial attack appeared to confirm they they were still restoring some guest-facing systems for the company. 4 In the same filing, the company estimated a negative impact of approximately US$100 million in the third quarter from the incident, and noted that it had incurred, “less than US$10 million in one-time expenses… related to the cybersecurity issue.” The company further claimed that they expected the loss to be contained in the third quarter, but admitted that it has not determined the “full scope of costs and related impacts of this issue.” That number clearly does not account for the inevitable class action lawsuits that will be filed regarding the incident. Caesars Entertainment was the target of a similar hack just days before MGM’s September 2023 incident. 5 Hackers got a copy of the Caesars loyalty card member database, which included social security and driver’s license numbers. In this case, hackers first
breached a third-party IT vendor before using that pathway to access the Caesars network. It is rumored that Caesars paid out US$ tens of millions in ransom to avoid operational disruptions similar to that experienced by MGM. Caesars and MGM are not along: in April 2023, one of Canada’s largest gaming companies, Gateway Casinos, was the target of a cyberattack resulting in 14 of their casinos being shut down for two weeks. 6 People are by far, the biggest vulnerability in cybersecurity, but they are just one small part of an array of entry points available to hackers looking to gain access to a company’s systems. Social engineering attacks are on the rise because they are significantly faster, more effective, and harder to prevent than traditional hacking methods. 7 These typically progress to distributed denial-of-service (“DDoS”) (like MGM’s September 2023 attack) and in many cases, successful ransoms. According to the 2022 Internet Crime Report produced by the FBI’s Internet Crime Complaint Center, the total number of cybercrime complaints decreased five percent from the prior year, however the dollar losses increased significantly by 49 percent (US$6.9 billion in 2021 to US$10.2 billion in 2022). 8 The alarming rate at which dollar losses have increased over the last few years should be an indicator to all sectors that it is time to prioritize cybersecurity. Another notable development – expanding connectivity – has created further cybersecurity weaknesses. The Internet of Things (“IoT”) plays a prominent parts in casino technology through items such as smart lighting, cameras, remote check- in/check-out, and event trackable casino chips. 9 In 2017, hackers were able to access a non-disclosed casino’s database of high- roller customers through a smart thermometer located in a fish tank connected to the casino’s IoT. Six years on, it is to be hoped that IoT loopholes have been patched but entities need to actively monitor their network flow to reveal vulnerabilities. Regulatory efforts: a comparison between US & UK regulation US Gaming Cybersecurity Regulations The US does not currently have an overarching data privacy
2 MGM Resorts Update on Recent Cybersecurity Issue, https://investors.mgmresorts.com/investors/news-releases/press-release-details/2023/ MGM-RESORTS-UPDATE-ON-RECENT-CYBERSECURITY-ISSUE/default.aspx. 3 Rachel Sudbeck, KOLIDE, https://www.kolide.com/blog/what-everyone-got-wrong-about-the-mgm-hack. 4 UNITED STATES SECURITIES AND EXCHANGE COMMISSION, FORM 8K – MGM RESORTS INTERNATIONAL (Oct. 5, 2023) 5 William Turton, Caesars Entertainment Paid Millions to Hackers in Attack, BLOOMBERG (Sept. 13, 2023) 6 David O’Connor, Gateway Casinos Warn Employees that Their Personal Information ‘Likely’ Compromised, CASINO.ORG (June 14, 2023). 7 PLEXTRAC, Why Social Engineering Is So Effective, https://plextrac.com/why-social-engineering-is-so-effective/ 8 FED. BUREAU OF INVESTIGATION, INTERNET CRIME REPORT (2022), https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf. 9 CENTRIPETAL, The Critical Cyber Threats That Are Targeting Casinos, https://www.casino.org/news/gateway-casinos-warn-employees-infor- mation-compromised/
PAGE 45
IMGL MAGAZINE | APRIL 2024
Made with FlippingBook flipbook maker