After MGM and Caesars hacks, cybersecurity experts warn ‘anybody is vulnerable’
Cyber technology experts said MGM Resorts International and Caesars Entertainment did everything correctly when it came to proactively protecting their operations from the threat of a security breach.
The Strip’s two largest operators — with a combined 16 resorts — invested in technology, complied with all regulatory frameworks and had numerous cyber protections, protocols and security measures in place.
The companies even worked with cyber experts to run vulnerability tests and conducted numerous simulations and exercises with staff on what to do in the event of a cyberattack.
All of their efforts didn’t matter.
MGM Resorts and Caesars were victims of separate cyberattacks in September that brought unwanted national attention to the casino industry, given that the companies combined operate more than 60 casinos in nearly 20 states. Analysts estimated that the attacks each cost MGM and Caesars millions of dollars in lost revenue and damaged their reputation with customers and employees, many of whom had their personal data stolen in the attack.
“It just goes to show you that anybody is vulnerable,” said Gus Fritschie, senior vice president of Bulletproof, a cybersecurity firm owned by New Jersey-based Gaming Laboratories International (GLI), a leading gaming equipment testing firm.
During a GLI-sponsored cybersecurity webinar last week, Fritsche was asked how both companies, which seemingly took all the necessary steps to protect themselves, became victims. He said a simple employee error can oftentimes be the reason.
“The focus should be heavily on security awareness training and education. It needs to be a constant battle every day to try and stay ahead of the adversary,” Fritsche said “What makes this problem so difficult to solve is you can do all the right things. It’s going to users that are the weakest link.”
National reports suggested the cyberattacks were probably carried out by teens and young adults who have allied themselves with one of the world’s most notorious ransomware gangs, part of a trend that has alarmed security experts and defenders of corporate computer networks.
Las Vegas-based gaming industry consultant Brendan Bussmann said MGM faces a tough challenge to earn back customer trust and loyalty.
MGM and Caesars have been hit with class-action lawsuits over not adequately protecting their customers’ data. Bussmann, managing partner of Las Vegas-based B Global, said the casino companies have to prove to existing and future customers that their information is safe.
“The challenge that MGM Resorts faces is not only the litany of ambulance-chasing lawsuits,” Bussmann said. “The company has to provide an experience they expect from an MGM Resorts property.”
MGM saw its business operations in eight states affected by the intrusion, including gaming floors, hotel processes and other guest services. Corporate programs, such as email and casino websites, were knocked offline. Eight days after the attack, MGM announced its resort and casino management systems were operating normally, but there were still reports throughout the rest of the month of downed or affected systems.
“Two weeks definitely tested the patience of some of their customer base,” Bussmann said.
Caesars took a different approach. In a carefully worded 8K filing with the Securities and Exchange Commission on Sept. 14, the company acknowledged it was the victim of a cyberattack by unknown hackers who stole data associated with the company’s customer loyalty program.
However, Caesars said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
Most cyber experts suspected Caesars paid a ransom in the millions of dollars to the hackers, although the exact amount is unclear and has not been disclosed by the company.
Stephanie Benoit-Kurtz, a cybersecurity consultant on the faculty at the University of Phoenix College of Business and Information Technology, said ransom demands and payments are likely to increase.
“Five years ago, the ransoms were smaller,” said Benoit-Kurtz, who once oversaw cybersecurity for Station Casinos. “Now you’re talking $20 million, $30 million and even $50 million requests.”
She said the gaming industry has become an enticing target for cyber criminals because companies have the ability and the willingness to pay large ransom figures. Paying a ransom emboldens cyber thieves, she said, and it still doesn’t mean they will destroy stolen information.
“They might sell it to other folks,” Benoit-Kurtz said. “Organized groups have started to do hacking as a service where they're gaining credentials or gaining certain things. They're monetizing it by selling it to another group.”
‘It’s not going to end’
Bulletproof’s Vice President of Gaming Melissa Aarskaug told the webinar audience last week that the importance of assessing and updating security measures often falls to lower-level employees who need to explain the issues to management.
Oftentimes, it’s a hard sell, she said. A company may have a variety of vulnerabilities, but it may be only five of 10 that can be easily fixed.
“The other five might need another security policy or new technology services,” she said. “There could be a number of reasons for addressing those in your security policy.”
Benoit-Kurtz said the recent attacks on MGM and Caesars weren’t the first on the gaming industry, nor will they be the last.
“It’s not going to end,” she said.
Several gaming and leisure industry companies have been the victims of recent cyberattacks, including Marriott International last year. Sports betting operators DraftKings and FanDuel were also hacked in cyberattacks in 2022.
MGM Resorts was the victim of a cyberattack in 2019 that targeted a cloud server hosting the personal information of hotel guests. Some 10.6 million records were stolen and 1,300 people had critical personal information such as driver’s license and passport numbers compromised.
The most high-profile cyberattack on the casino industry happened in 2014 on Las Vegas Sands Corp., when an attack linked to Iran infected the casino company’s computer systems with malware and shut down three-quarters of its Las Vegas servers.
Sands admitted a month after the attack that customer and employee data, including Social Security, driver’s license and passport numbers, were stolen in the highly sophisticated intrusion. The company temporarily took down its individual casino websites and its corporate website from the internet.
The recovery of data and building new systems cost Las Vegas Sands roughly $40 million.
Bussmann said the cyberattacks on MGM and Caesars should be a reminder that all gaming companies have vulnerabilities.
“These are constant threats that will not go away in the modern era,” he said.
A wake-up call to gaming
At the same time MGM Resorts and Caesars were dealing with the cyberattacks, two gaming analysts were in Las Vegas for meetings with casino company executives ahead of the Global Gaming Expo, which takes place Oct. 9-12 at the Venetian Expo and Conference Center.
“Being in Vegas during the cyberattacks was eye-opening as property internet, reservation desks, check-in desks, elevators, and machines were not running smoothly,” Macquarie Securities gaming analyst Chad Beynon wrote in a Sept. 20 research note following his visit to MGM-operated casinos.
However, he said he thought the financial damage to the companies was “contained and relatively minimal,” with Caesars expected to lose $15 million in cash flow and MGM’s losses pegged at between $20 million and $40 million, all of which was expected to be covered by cybersecurity insurance.
Truist Securities gaming analyst Barry Jonas wrote on Sept. 21 that members of his group, who was staying at Mandalay Bay, reported that most customer-facing operations “were largely back to normal.”
However, Jonas said the events at Caesars and MGM were a wake-up call to the rest of the gaming industry.
“Based on our wider discussions with other companies, we believe cyber attacks are more common than some may believe, and we think urgency around defending against attacks will be heightened moving forward,” Jonas wrote.
He expects MGM Resorts will have to make additional disclosures around the attack and its response, even though any financial damages would largely be covered by business interruption insurance.
“Barring repeated attacks, we don’t see any meaningful long-term impact to MGM in Las Vegas, though we do note higher frequency regional markets could be more at risk to any customers switching play to competitors,” Jonas wrote.
Despite the warning about paying ransoms, Bussmann said the industry may take a lesson away from the difference in how MGM and Caesars handled the events surrounding the attacks.
“One saw zero to little impact. The other is still trying to put the operation back together again,’ Bussmann said.