Ten days in September: the MGM attack saga

September 24, 2023 9:41 AM
Photo: Ritu Manoj Jethani/Shutterstock.com
  • Ken Adams, CDC Gaming Reports
September 24, 2023 9:41 AM
  • Ken Adams, CDC Gaming Reports

For 10 days in September, MGM Resorts’ computers were out of order, offline, shutdown and unresponsive to business needs. People could not play some of the slot machines, make hotel reservations or pay for a meal with a credit card. Outsiders speculated that MGM was the victim of a ransom cyberattack. In August, Caesars also had an issue, but it ended quickly fueling rumors that Caesars had paid the ransom that MGM refused to pay.

Story continues below

Analysis theorized that the shutdown cost MGM $8 million a day. Not a terribly big number for a company with an annual revenue of $13 billion and $2 billion in cash flow, but still unnerving. Cyberattacks are not uncommon and MGM and Caesars are far from the largest targets of the “dark web hackers.” Hospitals, government agencies, political leaders, banks, energy providers, communications outlets and, yes, even other casinos have been targeted. The intent is sometimes political or military, but mostly the hackers are after easy money.

There is a theory that the MGM attack began as an attempt to milk slot machines. In the theory, the hackers hoped to gain control of the machines and then send in third-party collectors to reap the benefits of liberal payouts the machines would generate. When that failed, the hackers realized they could go into the corporate computer system, disable it and demand a ransom. The Caesars’ rumor speculated that the ransom was $10 million to $15 million.

Ransomware attacks are not uncommon. It happened to me. In January 2017, I opened a seemingly innocent email and clicked on a link. The sender purported to be Federal Express. The email requested confirmation of my order and delivery address. I was expecting a delivery, so click the link I did. An evil program crept into my computers, capturing my data and freezing me out. Within a few minutes I received a ransom request. Luckily the outside technician that maintained my systems had created a secondary backup that was untouched. Still, it took days to clear up the issue and reinstall my database – and add yet another level of protected backup. It was not easy nor cheap, but it was not necessary to pay the ransom.

The major safeguard is a defensive approach to the use of email: Don’t open anything unfamiliar nor respond to any email from an unknown source. That is an easy fix in a one-person office, but MGM has 83,000 employees. Not so easy. That, of course, will be the challenge for MGM and every other gaming company: how to protect themselves. MGM has business interruption insurance, which may or may not pay for the disruption and it is not a safeguard. Hardware and software solutions are essential as are regular reviews by outside experts. In December 2022, Nevada gaming regulators passed a regulation requiring gaming companies in Nevada to assess their cybersecurity and report back to the Gaming Control Board by the end of this year.

Brian Krolicki, a Nevada Gaming Commissioner, has called upon MGM and Caesars to report to the board on the hacking events. The Massachusetts Gaming Commission has held two meetings on the subject and other states are certain to do the same. In the gaming industry, cybersecurity is a multilayered issue. There is a business, consumer and regulatory layer.

When hackers successfully breach a business computer system they gain access to customers’ personal information, including addresses, phone and email information, Social Security and credit card numbers and bank information. That information can be sold on the black market. State and federal regulatory agencies take an active interest in protecting that information. For MGM customers, the breach is a big deal.

MGM and its peers are concerned about the customer data, but also about the business. MGM was not completely shut down as others have been, but it was only operating a limited amount of its revenue-generating departments. It could have been much worse, but 10 days of reduced revenue and bad press is damaging.

Finally, there are the regulators whose responsibility includes the security of the gaming and the protection of the customers. The games at MGM were at least in part compromised and certainly the customers are at risk. Both of those issues will resonate with every gaming regulator in the country.

With so many vested interests, there is certain to be major efforts to protect casinos and every other business from future attacks. If this attack was a fixed event, then solutions could be found. MGM and other casinos will enhance, improve and update their protections, but it will not end there. Whatever solutions are developed, future hackers will find a way around. It is the nature of the beast in nature, war and technology.

Finding a vaccine for any flu may be easy, but as soon as the vaccine is put into use, the virus adapts, changes and returns to being a threat. In war, any new weapon or tactic elicits the same response – the opposition adjusts and comes back ready to overcome with new weapons and tactics of its own. Technology works the same way. Frequently, Microsoft sends out software updates to correct the weakness and vulnerabilities in its software. As frequently as the operating environment changes, more updates are required. The AI discussions and predictions are built on just that. Using a deep database, artificial intelligence is able to develop a solution to any existing problem. MGM’s saga is but one battle in a very, very long war.