MGM Resorts International has revealed a cybersecurity incident affecting various systems, including its website, online reservations, and in-casino services like ATMs and credit card machines. The company promptly initiated an investigation upon detecting the issue and took measures to secure its systems, resulting in the shutdown of certain systems. Reports indicate that the disruption began on a Sunday night, leading to the resorts resorting to manual operations.
Customers visiting the MGM Resorts website are currently directed to make reservations over the phone, while MGM Rewards customers are advised to call a Member Services number during specified hours. MGM's various websites using the mgmresorts.com domain have been offline for an extended period. Some guests have reported issues with their room keys not functioning, and local media outlets have noted that slot machines are displaying temporary unavailability messages.
The MGM Rewards app is also affected, urging members to seek assistance at the front desk. Fortunately, other MGM apps like MGM+ and the MGM sportsbook remain unaffected. The nature and motive behind the cyberattack have not been publicly disclosed.
This incident marks the second cybersecurity event for MGM Resorts since 2019 when a breach of one of the company's cloud services resulted in the theft of over 10 million customer records. The breach came to light in 2020 when the stolen data, encompassing guest information such as names, dates of birth, email addresses, phone numbers, and physical addresses, was openly shared on a hacker forum.
Cybersecurity leaders from around the industry shared insights on the incident and what other organizations can learn from it:
Tom Kellermann, senior vice president of cyber strategy at Contrast Security
“For decades casinos have been leaders in security. The MGM hack underscores how digital transformation increases the attack surface and how physical infrastructure can be disrupted by a cyberattack. Guards, guns and vaults cannot defend against cyber-intrusions. Cyber vigilance is paramount in an era of cybercrime.” Shobhit Gautam, Security Solutions Architect, HackerOne
“The latest cyberattack on MGM demonstrates the major impact these incidents have on company operations, the ability to take in revenue and customers. While the root cause of the attack is not yet clear, the fact that the goal of this incident differs from the 2019 MGM data leak very much is.
Back then, bad actors infiltrated internal systems to steal 142 million guest credentials to sell on the Dark Web. The goal here was likely profit, plain and simple. While money nearly always plays a role in cybercriminal activity, it appears that the intent behind this latest assault was disruption and chaos above all. With guests locked out of rooms, major revenue generators like slot machines down and multiple resorts’ systems impacted, the reputational damage and stress will mirror the likely significant financial loss.
Organizations across all industries should consider adopting an outsider mindset when considering how best to secure their organization. Ethical hackers have this mindset and help organizations find and fix any security weaknesses they have before they can be exploited on this scale. In 2022, the average bug bounty payout was just shy of $1,000 in travel and hospitality for the most critical vulnerabilities. Compare that to the cost of a data breach at $4.45 million (according to IBM), and it’s clear the investment in bringing third-party experts in to supplement security tools is well worth it.” Chris Denbigh-White, the Chief Security Officer (CSO), Next DLP
"Casinos, both repositories of substantial wealth and vast volumes of personal and financial data that harbor a minuscule appetite for operational downtime, render them exceptionally enticing prey for cyber-criminal syndicates on the hunt for financial gain.
Although specific details are lacking, the initial repercussions of this incident are far from unclear. MGM Resorts has instituted a sweeping shutdown of a substantial segment of its infrastructure. This episode accentuates the paramount role of visibility in crafting effective containment strategies. It compels businesses, irrespective of industry, to contemplate the depth to which they should be prepared to suspend or curtail their operations when confronted by such threats. MGM's response, somewhat akin to a "nuclear" option, is poised to affect its near-term revenue-generating capabilities indisputably.
As MGM Resorts looks toward the eventual restoration of its services, the imperative of a meticulously delineated and rigorously tested system restoration process takes center stage. This process must ensure that when operations recommence, unwavering confidence prevails regarding the fortitude of system defenses. Following such an ordeal, a certain degree of paranoia will undoubtedly pervade as the systems are reactivated.
The MGM incident underscores a universal truth—namely, that the calculus of cyber risk knows no industry bounds. The profound implications of this breach reverberate well beyond the casino walls, resonating as a stark reminder to senior leadership teams across sectors that the pursuit of resilience, protection of data, and the preservation of digital trust are mandates of our digital age."
###