Cybersecurity experts at a San Diego tribal technology conference raised the possibility Wednesday that a ransom might have been paid to hackers, given that MGM Resorts International reported properties nationwide returned to normal operations.
The hack that knocked gaming devices out of commission and disrupted operations across the board continued to reverberate among cyber experts and tribal executives attending the TribalNet technology conference.
MGM released a statement Wednesday morning saying that all of its properties nationwide are operating normally, updating a statement from Tuesday night that Excalibur was still experiencing issues with its slot machines.
That reported resolution provided a sense of relief that the incident could be over, since it has hung a dark cloud on the casino industry for the past 10 days. The MGM incident was coupled with Caesars Entertainment paying $15 million in ransom after it was hacked in August; customers’ private information was obtained, but no systems were shuttered.
The conference held sessions closed to the media to discuss the threats to tribal casinos and operations and review prescriptions for avoiding similar attacks against their properties. In 2020 and 2021, tribal casinos were shuttered and made ransom payments to hackers in order to reopen, but such major incidents have slowed in the past year as tribes have increased their cybersecurity.
The primary takeaway from the conference that set record attendance is that even with an announcement of a return to normal, it will take MGM awhile to resolve all the issues it’s been facing. Some experts in panel discussions raised the prospect that the hackers, believed to be Russians, might have helped bring the event to an end.
“That’s good news,” said Justin Raisor, a regional sales manager with Vectra AI, a San Jose-based cybersecurity company who didn’t want to speculate on ransomware. “They probably had a good plan for incident response, so it (ended) in a much quicker fashion to bring up those systems given the potential of the size of the attack. It’s great to hear.”
Dawn McGrady, director of finance for the Little River Casino Resort in northwest Michigan, said MGM being operational again is a relief for the company and the industry. “It’s come to an end and I’m sure there’s a lot of other things that have to be done to prevent further breaches. But it does bring a sense of comfort knowing they’re operational again.”
Before her team came to the conference, McGrady said they had a conversation in Michigan about the MGM incident that has raised awareness among tribal leaders and was the talk of the conference. She said more people wanted to attend this week in light of the MGM hack, but couldn’t do so on such short notice; she and her team are looking forward to briefing their staff when they return.
“A lot of times, organizations think that they have cyber insurance in place, but they never think they’re going to be hit,” McGrady said. “You look at organizations of that size that have a lot of money and believe they’re more protected than the smaller organizations. So when it happened to MGM, it sent a ripple throughout the industry. It’s horrible what happened, but it will push others to start getting on board and be more proactive.”
Tribes have formed the Tribal Information Sharing and Analysis Center to prevent cyberattacks. More people this week joined the organization to prevent being victimized; the MGM hack shone a glaring spotlight on the financial risk, especially since not all tribes have insurance to cover losses. Thus, tribes continue to be encouraged to put more resources into staffing and technology upgrades to help prevent similar situations.
McGrady said they’ve been talking about cybersecurity and taken preventive measures, but that doesn’t mean it’s not going to happen. It’s usually a matter of when. “MGM opened the doors on some of the barriers to finish our response plan. It got things moving with parts of our organization that needed to get onboard. Over the last few days, I’ve been in lots of conversations here talking about it. The timing of this conference was spot on.”
Robin Villareal, chief information officer at the Gila Resorts and Casinos outside of Phoenix, said it raised their awareness immediately, due to their partnership with BetMGM. They’ve been assured there are no issues of being compromised. Still, Gila has stepped up its monitoring.
“That’s one of things you can call an RGE, a resumé-generating event,” Villareal said of her responsibility to protect the tribal operations. “I’m fortunate that our CEO Kenneth Manual is very supportive of our initiatives to safeguard our environment. That’s the biggest challenge most tribes face. They don’t have leadership that supports them —until there’s an event and all of a sudden IT gets noticed.”
Coming to the conference will help tribal leaders better understand the threats out there with cyberattacks and have a response plan to deal with it, Villareal said.
“We all see what’s happening in Vegas and we want to make sure of what we need to do so it doesn’t happen to us. If anything, I’m spending more money on getting that talent into our organization to make sure we have the brightest.”
The cyber experts suggested social engineering was behind the hack; all it takes is someone to reach out to the IT help desk and say they need to reset their password to gain access to the system. The hackers will go to elaborate steps to learn about the IT team to convince them that they’re legitimate. Greater steps need to be made to ensure an organization is dealing with an employee and not an imposter.
Casino operators were encouraged to segment their systems, so that only one system, rather than them all, are compromised by a hack. They were also advised to take steps to prevent being impacted by security lapses with their vendors.
Andy Jabbour, co-founder and managing director at Gate 15, a security risk-management organization, hosted a ransomware workshop at TribalNet. His company does risk analysis on emerging threats, preparedness to draw down that risk, and information sharing.
“If you weren’t paying attention before, you’re paying attention now,” Jabbour said. “If the adversaries can get these two large casino organizations, then how prepared am I?”
While incidents have hit the tribal community — some publicized and some not — it’s not as highly targeted as other sectors, Jabbour said. That doesn’t mean the risk doesn’t exist.
Mike Miller, a chief information security officer at Appalachia Technologies, led a session on a leader’s guide to creating a strong security culture. He said the MGM hack was a wake-up call for every organization and definitely got the attention of people at the conference.
He noted that many people think the bigger the company, the more secure it is, but that’s not always the case.
“The big takeaway this week is no matter how strong your security infrastructure is, people are the biggest weakness. Humans are vulnerable. This incident happened because someone called and pretended to be someone over the phone. You can have all the security hardware, but we need to train our people better. More than 80% of the breaches in 2022 happened because of the human element. It wasn’t a sophisticated attack and didn’t hack the firewall. They took advantage of humans. Because that number is so high, instead of spending more money on hardware and software, we need to invest more in better training our employees. Once-a-year training is not enough.”