LAS VEGAS — MGM Resorts International was hit with a monster cyberattack earlier this week that left its computer systems vulnerable — so vulnerable that the company decided to shut down some of the computer systems at its hotels and casino properties until it’s safe to bring them back online.
The websites for MGM Resorts’ 31 properties were taken offline immediately after the cyberattack was discovered on Sunday, as were some of the company’s network systems. This means nothing that relies on those systems could function, including digital room keys, slot machines, and the company’s mobile rewards app. MGM did report that its dining, entertainment and gaming operations were back up and running by Monday night.
“The MGM ransomware cyberattack on over a dozen/casinos in Las Vegas and all MGM Grand Hotels & Casinos elsewhere is the largest by far in hospitality history in an industry that has had its share of cyberattack data breaches,” said Corbin Ball, a top event technology expert, speaker, consultant and author. “It has hobbled reservation systems, video slot machines, payment systems, key card access and more.” He added that data breaches are the most prevalent type of cyberattack used against corporate entities such as large hotel companies. As to why, he said, “To get money.” While the Russian ransomware-as-a-service group ALPHV, also known as BlackCat, did claim responsibility initially, later reports indicate it may have been another hacking group named Scattered Spider, also known as UNC3944. Both cyber gangs specialize in using social engineering to lure users into providing access to corporate networks. Once in, the criminals render the system inaccessible until the organization that owns the network pays a ransom.
While the extent of the attack is still emerging, current guests at the hospitality company’s Las Vegas properties — which include Aria, the Bellagio, Luxor, MGM Grand and Mandalay Bay — took to social media to report a lot of disfunction and confusion. According to a report in TechCrunch, MGM properties outside of Las Vegas also have been effected, including the websites for the MGM Springfield in Massachusetts, MGM National Harbor outside of Washington, D.C., and the Empire City Casino in New York. The attack this week follows another MGM cybersecurity breach discovered in 2020.
The company is not releasing many details at this time, saying only that it began an investigation that involves external cybersecurity experts and law enforcement as soon as it detected the problem. The company also said it is “taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate.” As of Wednesday, Sept. 13, the FBI also is involved in “investigating a cybersecurity incident at gaming giant MGM Resorts International that kept several of the casino operator’s systems paralyzed for a third straight day,” according to Reuters.
While MGM Resorts is the target this time, Ball pointed out that the type of property popular with trade show organizers tends to be juicy targets for cyber criminals. “Large convention hotels with casinos are prime attack targets due to the huge volume of daily monetary transactions. To this end, these hotels have likely invested in some of the best cybersecurity measures that money can buy. This highlights the impact of social engineering as the weak link in the security chain (in this case someone posing as an employee convincing an employee to hand over system password access). It only takes one employee in the right place to make an error in judgement to, in this case, potentially cost hundreds of millions of dollars with significant disruptions to thousands of hotel guests.”
There’s not much a show organizer — or a hotel — can do once a cybercriminal gets in the door, short of paying a ransom to restore services, Ball said. “The one thing that every organization can do (aside from having up-to-date cyber security software systems) is to train all staff on phishing and spear phishing identification (it can only take a click on a malicious web link to open vulnerability) and social engineering threats.” He added, “Of course, show organizers should have due diligence in making sure the venue’s data security measures and practice safe security measures (including using VPNs, strong passwords, up-to-date antivirus programs, etc.).”
Reach Corbin Ball at (360) 734-8756 or firstname.lastname@example.org.