The hospitality and gaming industry has been hit hard by cyberattacks in recent weeks, with two major casino chains, Caesars Entertainment and MGM Resorts, reporting breaches that cost the businesses millions of dollars, triggered SEC breach reporting requirements, and put their credit ratings at risk. It has been reported that both attacks were propagated by the Scattered Spider and ALPHV ransomware groups, perhaps in collaboration.
Let’s talk about the impact these ransomware attacks had on the businesses their customers, and consider the lessons learned that a midmarket business could apply to prevent such incidents.
The Caesars Entertainment Breach
Caesars Entertainment, which owns over 50 hotel and casino properties around the world, disclosed in a regulatory filing on September 14 that it had suffered a cyberattack in late August that resulted in the theft of a copy of its loyalty program database, which contained personal information of a “significant number of members”, including driver’s license and social security numbers. The company said it paid tens of millions of dollars to the hackers, who threatened to release the data unless they received the ransom.
The group behind the attack is believed to be Scattered Spider, a hacking group that specializes in social engineering and vishing, or voice phishing, which involves impersonating someone over the phone to gain trust and access. According to reports, the hackers first breached an outside IT vendor that provided support to Caesars, and then used the vendor’s credentials to access the company’s network. The hackers also used a ransomware variant called ALPHV, or BlackCat, which is sold as a service on the dark web.
The MGM Resorts Breach
MGM Resorts, which operates over 30 hotel and casino venues around the world, announced on September 11 that it had shut down some of its systems due to a “cybersecurity issue” that affected its operations. For several days, guests experienced long lines, manual check-ins, non-functional slot machines, and cash-only transactions, as the company tried to restore its systems and data. The company said it was “operating normally” by September 20.
The breach was also attributed to Scattered Spider and ALPHV, and involved a similar vishing technique as the Caesars attack. The hackers reportedly called MGM’s IT department and pretended to be an employee who needed help with a password reset. They then used the reset link to install the ransomware on MGM’s network and encrypt its data. The hackers demanded a ransom of $15 million, but MGM refused to pay and instead contacted the FBI.
The Impact of the Breaches
The breaches had a significant impact on both the businesses and their customers, in terms of financial, operational, reputational, and legal consequences. The companies incurred direct and indirect costs, such as ransom payments, system recovery, lost revenue, customer compensation, and increased cybersecurity spending. The companies also faced operational disruptions, reputational damage, and potential legal and regulatory actions, as they violated various data protection and privacy laws and regulations in different jurisdictions. The customers suffered from the exposure of their personal information and the degradation of their experience.
The Key Takeaways and Lessons Learned
The breaches at Caesars and MGM serve as a wake-up call for all businesses, especially those in the hospitality and gaming industry, to improve their cybersecurity posture and resilience. Here are some of the key takeaways and lessons learned that a midmarket business could apply to prevent or mitigate such incidents:
- Assess and monitor your third-party vendors: The breaches at Caesars and MGM both started with the compromise of an outside IT vendor that had access to their networks. This shows the importance of assessing and monitoring the cybersecurity practices and performance of your third-party vendors, and ensuring that they follow the same standards and policies as your own organization. You should also limit the access and privileges of your vendors to the minimum necessary, and review and update them regularly.
- Train and educate your employees: The breaches at Caesars and MGM both involved social engineering and vishing, which exploit the human factor and the lack of awareness and vigilance of the employees. This shows the importance of training and educating your employees on how to recognize and respond to phishing and vishing attempts, and how to follow the best practices for password management, authentication, and verification. You should also conduct regular tests and simulations to measure and improve your employees’ cybersecurity skills and behavior.
These breaches highlight why cybersecurity is something you can’t afford to gamble with. If you would like to learn more specifics about how you can stay protected, please contact our team.