MGM Resorts Confirms New Data Breach

Computer systems began going down on Sunday morning, and by Monday afternoon the company shut down its own systems to try and protect guest data.

Various news outlets are reporting that cyber criminals have breached the computer system at MGM Resorts, forcing it to shut down a dozen of its casino hotels in Las Vegas as well as six more properties around the United States.  According to one on-property employee who spoke with NBC 3 News on the condition of anonymity, company systems began shutting down as early as 5 a.m. Sunday morning.

Guests are reporting on social media that slot machines, ATMs and even digital hotel keys are no longer working. MGM admitted on its website, online reservation system, and credit card machines have also been affected. In a statement released by the company on Monday night, MGM acknowledged there was cybersecurity issue that caused them to shut down their own systems to protect their data. MGM also said it notified law enforcement and external cybersecurity experts.

This isn’t the first time MGM has suffered a data breach. In 2018, one of its cloud servers was hacked which led to between 142 and 200 million MGM hotel guests having their data points put up for sale on the dark web.

Read more about that breach: MGM Data Breach 14x Higher than Initially Thought

To learn more about the potential implications of this cybersecurity incident on MGM Resorts, HT reached out to cybersecurity experts for their opinion.

Erich Kron, Security Awareness Advocate at cybersecurity company KnowBe4, commented:

While it hasn't been confirmed, this has all of the markings of a pretty significant ransomware attack. It's clear that a significant number of systems have been impacted, leaving guests and customers in a difficult position, while clearly impacting operations across the resort portfolio. The money being lost by the downtime, and the cost to make things right with the customers, are factors that will be putting a lot of pressure on the resort and casino giant to get the systems back up and running. Given the pressure, it would not be surprising for MGM Resorts to pay the ransom in an effort to get systems back online quickly, however, that would just be the start of the recovery efforts. Not only will they have to take measures to ensure the bad actors do not have back doors planted on systems and devices across their network, the modern ransomware playbook typically involves the exfiltration of data, meaning that they are likely to be dealing with yet another data breach.

For customers of MGM Resorts, it is important that they stay alert and cautious whenever dealing with someone claiming to be with the resort, because if the customer information has been impacted, cybercriminals can use it to create very convincing emails, or attacks through text messages or even phone calls. The impact of this latest cyberattack will certainly be causing issues for MGM Resorts for months, if not years.

Shobhit Gautam, Security Solutions Architect, HackerOne, commented:

The latest cyberattack on MGM demonstrates the major impact these incidents have on company operations, the ability to take in revenue and customers. While the root cause of the attack is not yet clear, the fact that the goal of this incident differs from the 2019 MGM data leak very much is.

Back then, bad actors infiltrated internal systems to steal 142 million guest credentials to sell on the Dark Web. The goal here was likely profit, plain and simple. While money nearly always plays a role in cybercriminal activity, it appears that the intent behind this latest assault was disruption and chaos above all. With guests locked out of rooms, major revenue generators like slot machines down and multiple resorts’ systems impacted, the reputational damage and stress will mirror the likely significant financial loss.  

Organizations across all industries should consider adopting an outsider mindset when considering how best to secure their organization. Ethical hackers have this mindset and help organizations find and fix any security weaknesses they have before they can be exploited on this scale. In 2022, the average bug bounty payout was just shy of $1,000 in travel and hospitality for the most critical vulnerabilities. Compare that to the cost of a data breach at $4.45 million (according to IBM), and it’s clear the investment in bringing third-party experts in to supplement security tools is well worth it.

Pete Nicoletti, Field CISO at Check Point Software Technologies, commented:

A couple thoughts. First, the new SEC Guidelines say that if something could affect just one investor within the company, you have to report it and file an 8K within 3 days. So, we may see the first 8K filed very soon. That document could provide some attribution details. Second, to see MGM have these many subsystems affected by this attack is very concerning. It's usually just one system that gets successfully attacked. But to see rooms, slot machines, phones, the Internet, their website, etc. all go down at once means this is likely going to be a cloud misconfiguration issue. All those things really should be protected from each other. One domino should not knock down all the other dominoes. 

Joe Juchniewicz, Principal Security Consultant, Calian IT & Cyber Solutions, commented:

Since this is an ongoing investigation, the details and methods may change; however, at the moment, with all the current information, this is what we know.

The MGM attack was another example of how malicious gangs use small attacks to gain access and instigate larger attacks within an organization. These attacks do not target the operating systems but the multiple third-party programs running on these devices.

Since the investigation is ongoing, there has been speculation about the several alleged attacks used for this breach. The group is called Scattered Spider, a known malicious group specializing in social engineering tricks to get login credentials from their targets, in this case, several MGM employees. 

First is a social engineering event that allows credentials to be leaked. Once the credentials were accessed, the malicious user used them to get additional access to internal systems and processes and then upload their malicious tools and software to conduct additional attacks.

Several tech articles indicate that access to internal systems was allowed due to missing patches on a few critical devices, allowing the attacker to access the environment and encrypted system, deploy ransomware, and exfiltrate data. 

At this point in the story, the “how” is still being investigated. The “why” is easy - money. The reasoning why is because they could. 

This ad will auto-close in 10 seconds