Drums of slot machine showing cybersecurity issue at MGM

“Cybersecurity Issue” at MGM Brings Vegas Strip Properties to a Standstill

Visitors to Las Vegas this week are likely going to be expecting a refund on their “resort fees,” as what appears to be a ransomware attack has crippled functionality throughout one of the two largest casino-hotel chains on the Strip. MGM has not yet confirmed the nature of the attack, calling it a “cybersecurity issue,” but the catastrophic chain of failures has all the hallmarks of ransomware that is running wild on internal networks and a hacking group has claimed credit for the attack.

The cybersecurity issue is also reportedly having a similar impact on MGM properties scattered throughout the US, such as those in Biloxi and Atlantic City. MGM staff and property guests are reporting issues with electronic door locks, the shutdown of reservation and front desk check-in systems, banks of slots and other electronic games rendered nonfunctional, limited function of elevators, and loss of ATM service. The one benefit that players seem to be getting out of this is that parking has become de facto free once again, as the electronic systems for collecting fees are also down.

MGM’s “cybersecurity issue” compromises about half of strip properties

MGM owns and operates about half of the big casino-hotels on the Vegas Strip; its properties include Mandalay Bay, Luxor, Excalibur, NY NY, MGM Grand, Park MGM, and the Bellagio. Everything in Vegas under its umbrella appears to be impacted to varying degrees. The properties remain open, but operations such as front desk check-ins and payouts for casino games have had to shift to entirely manual operations, causing long delays in some cases. Guests also report “sporadic” elevator function, no television in-room and no access to the “loyalty program” systems that grant player comps and status perks.

The attack began on Monday, and ransomware gang ALPHV is claiming credit for MGM’s “cybersecurity issue.” The group took to underground forums to boast that it was able to social engineer an MGM help desk employee found via LinkedIn via a 10 minute phone call. There is not yet independent confirmation of the group’s involvement, nor has MGM disclosed any further information about what happened.

Regardless of who is responsible, ransomware is a very safe bet as the source of the cybersecurity issue given the visible impact on MGM’s Vegas properties. The attack has impacted not just the computer-based functions of the properties, but also the company’s public-facing websites used for booking reservations and purchasing tickets to events held at the T-Mobile Arena. Internal company network email is also reportedly down.

Erich Kron, security awareness advocate at KnowBe4, expands on ransomware being the likely culprit and what MGM customers should realistically expect in the near future: “While it hasn’t been confirmed, this has all of the markings of a pretty significant ransomware attack. It’s clear that a significant number of systems have been impacted, leaving guests and customers in a difficult position, while clearly impacting operations across the resort portfolio.”

“Not only will they have to take measures to ensure the bad actors do not have back doors planted on systems and devices across their network, the modern ransomware playbook typically involves the exfiltration of data, meaning that they are likely to be dealing with yet another data breach. For customers of MGM Resorts, it is important that they stay alert and cautious whenever dealing with someone claiming to be with the resort, because if the customer information has been impacted, cybercriminals can use it to create very convincing emails, or attacks through text messages or even phone calls. The impact of this latest cyberattack will certainly be causing issues for MGM Resorts for months, if not years,” added Kron.

Thus far, MGM has only stated that its investigation into the cybersecurity issue is ongoing and that law enforcement has been involved. It is unclear what the scope of federal involvement will be given that lodging is classified as a “critical infrastructure” sector; each of MGM’s Vegas properties generally have about 3,000 to 6,000 guest rooms, and collectively it holds a little over half of the hotel rooms available in the city.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, notes that the full scope of normal operation at these properties may not be restored for some time: “The MGM Resorts IT and security teams are going through security professionals’ worst fears and nightmares right now, which all security professionals can empathize with.  When cybersecurity incidents occur they can have a major impact on the business and customers, especially when we are so dependent on technology for payments, communications, digital and physical access, and running critical systems. When systems are down, the business can come to a full stop. In this case, it completely turns off the tap of a major revenue stream that relies on availability and access. I have seen many serious incidents in the past and can only hope that MGM Resorts have a solid incident response plan, have practiced and simulated it, and are prepared and ready to handle this incident. Cybersecurity is a strong community, and we should always be supportive during such serious situations.”

Unclear what impact cybersecurity issue will have on guest information

At the moment, the MGM properties appear to be hanging in by printing out and manually checking prior guest reservations, and taking new reservations by phone. Credit cards are also being manually recorded at the front desk and at property bars and restaurants for later billing. But those that are aware of the prior 2019 “cybersecurity issue” that resulted in the theft of about 10 million guest records are likely feeling a little nervous about what the attackers may have extracted before they deployed ransomware on the company’s systems.

The Securities and Exchange Commission (SEC) recently adopted new cybersecurity rules for publicly traded companies of a certain size, creating a much tighter window for mandatory data breach reporting. However, those rules do not go into enforcement until December. We may learn more about the cybersecurity issue from the Nevada Gaming Control Board, however, which recently started requiring the state’s casinos to disclose any internet-based breaches within a three day time limit that is rapidly approaching as of this writing.

The prior 2019 MGM cybersecurity issue ultimately resulted in relatively little sensitive PII being exposed; a breach notification letter indicates that only a small handful of identification numbers were taken, with most of the data consisting of basic contact information attached to hotel stays or casino loyalty program profiles. That breach was due to a misconfigured cloud server, however, and this attack seems to be much more expansive. The threat to MGM customers and guests may depend on how securely encrypted credit card numbers are, but more information is needed to determine the scope of the attack.

Casinos are renowned for their physical security, but in some cases are still catching up in terms of cybersecurity, as Erfan Shadabi (cybersecurity expert with comforte AG) observes: “In an era where digital transformation is reshaping the way the tourism industry operates, the reliance on interconnected systems and data-driven processes has never been greater. As such, the sector becomes an attractive target for cybercriminals seeking financial gain or to exploit vulnerabilities for malicious purposes. The MGM Resorts incident is emblematic of this overarching challenge.”

“Recognizing the pivotal role technology plays in enhancing guest experiences, optimizing operations, and facilitating global connectivity, the tourism industry must allocate resources to bolster its cybersecurity posture. To that purpose, data-centric security stands as the most effective approach in safeguarding organizations within the tourism industry due to its inherent focus on protecting the core asset that cybercriminals seek to exploit: data itself. Rather than relying solely on perimeter defenses and assuming that all breaches can be prevented, data-centric security recognizes the inevitability of potential breaches and prioritizes securing the data at its very essence. By doing so, this approach not only fortifies an organization’s defenses but also ensures that even if a breach occurs, the stolen data remains indecipherable and effectively useless to malicious actors” recommends Shadabi.

Piyush Pandey, CEO of Pathlock, adds: “So, what can organizations like casinos do to avoid this type of attack? Coordination between access governance and cybersecurity.  Having a strong access governance program – the continual testing and enforcement of application controls – significantly reduces the amount of role attack surface in those applications.  Cybersecurity teams also need the ability to detect threats and compromised accounts in real-time, limiting the amount of lateral movement and data exfiltration.”