Guests stand in line waiting to check into their rooms Sept. 14 at the Aria. MGM Resorts International was hit with a cyberattack that shut down much of its normal operations, causing longer-than-usual lines and temporarily discontinuing some services.
Thursday, Sept. 21, 2023 | 2 a.m.
Cyberattacks that victimized major resort companies on the Las Vegas Strip this month are a strong reminder to stakeholders to protect their operations from the evolving online threats, an industry expert said.
If it happened once, it can happen again, said Lisa Plaggemier, the executive director at Washington, D.C.-based National Cybersecurity Alliance.
“Training people is really, really important,” Plaggemier said. “Ninety-nine percent of the things that happen involve human error. In a perfect world, if I’m an employee and do something I shouldn’t, like click on a phishing email, (the attacker) should be able to break through into the system.”
MGM Resorts International said Wednesday that its casino and hotel services are “operating normally,” a week after a crippling cyberattack.
The shutdown prevented credit card transactions and crashed the BetMGM sports betting mobile app and company websites. It also prevented digital access to guest rooms and halted some slot machine play.
The attacks weren’t limited to MGM.
Data from members in the loyalty program at Caesars Entertainment was compromised when an unauthorized actor acquired a copy of the program’s database, including the driver’s license and Social Security numbers of members, the resort said in a report to the Securities and Exchange Commission.
Caesars reportedly paid a multimillion-dollar ransom to hackers to return to full operations. MGM did not.
Plaggemier, whose group promotes cybersecurity awareness and education, and has contracts with the public and private sector, said the Las Vegas attacks emphasize the need for robust employee training, regular security audits and proactive vulnerability patching.
For example, many companies in their training send fake phishing emails to employees to test if they can spot a bad actor, Plaggemier said. The government provides this kind of software, she said.
“Believe it or not, 95% of incidents start with an email,” she said. “We’ve all got those emails from the Nigerian prince and laughed about it. (The hackers) have gotten so much more detailed. It doesn’t take much to hire a graphic artist to develop an email that looks like the real thing.”
And, Plaggemier stresses, companies small and large are at risk.
The motivation was more than likely money — pay a ransom to get back up and running, said Yoohwan Kim, a UNLV computer scientist who studies data privacy on blockchain and network security.
“One thing is clear: When this happens, there’s a lot of chaos in the company figuring out what it will take to fix it,” Kim said last week.
Plaggemier said it’s best for companies to predetermine whether or not they will pay a ransom and how much they are willing to spend. Making a rushed decision “when your hair’s on fire” from the attack is a formula for disaster, she said.
What happened with MGM and Caesars is likely impacting the preparation of other tourism-based companies.
“I hope they are holding table talk exercises all the way up to the board level,” Plaggemier said of training exercises conducted in preparation of a ransom attack. “You need to be practicing and role playing what to say and how to respond.”
The nature of the issue at MGM was not detailed, but officials said their efforts to protect data included “shutting down certain systems.” The FBI is taking part in the investigation.
MGM is waiving fees for people who canceled reservations from Wednesday through this Sunday, saying “we understand your travel plans may have changed.”
Plaggemier said would-be customers of MGM shouldn’t worry about credit card data being compromised, because consumers aren’t liable for fraudulent activity on swipes. “We’ve been swiping credit cards for a long time,” she said.
Without knowing the specifics of the attacks, she couldn’t dissect how resort officials at both companies responded. She praised them for how they communicated to customers, saying “they have been forthright with their communication and quick to communicate; that is critical.”
What’s even more critical is using the incidents to enhance education and security measures. “You have to get it on the agenda,” she said of preparation.
[email protected] / 702-990-2662 / @raybrewer21
