Has MGM gambled with customer data security?
MGM Resorts, a prominent casino chain with a global presence, recently grappled with a severe cybersecurity incident that raised concerns about the security of customer data. Reports suggest that the breach may have originated from a single phone call, underscoring the vulnerabilities faced by even the most established organizations.
In this article, we will delve into the background of what happened with MGM’s cybersecurity, provide updates on the situation, and discuss how you can prevent such incidents from affecting you.
The Fallout: MGM Resorts’ Disrupted Operations
On September 11, MGM Resorts disclosed a “cybersecurity issue” that led to the temporary shutdown of critical systems to safeguard their data. The consequences of this disruption were far-reaching, affecting everything from hotel room access to slot machines and the functioning of their various property websites. Guests were inconvenienced by long check-in lines and handwritten receipts for casino winnings as the company resorted to manual operations to keep the resorts running.
Silent on the Details: MGM Resorts’ Response
MGM Resorts remained tight-lipped about the incident, offering only vague references to a “cybersecurity issue” on Twitter. They assured guests that efforts were underway to resolve the problem and keep their resorts operational. It wasn’t until approximately ten days later, on September 20, that the company announced their hotels and casinos were operating normally, albeit with the warning of possible intermittent issues and unavailability of MGM Rewards.
Data Breach Revelation: A Blow to Guest Privacy
In a subsequent update on October 5, MGM Resorts revealed that the hackers had accessed personal information, including names, contact details, gender, date of birth, and sensitive identification data like driver’s licenses, passports, and Social Security numbers, for “some customers” before March 2019. While MGM refrained from specifying the number of affected individuals, they pledged to provide free credit monitoring services—a typical response from companies grappling with data breaches.
Scattered Spider: The Culprits Behind the Breach
This incident brings to light the susceptibility of even the largest organizations to cyberattacks. Scattered Spider, a group skilled in social engineering, is believed to be the masterminds behind the breach. They excel in manipulating victims through impersonation, a technique known as “vishing,” involving convincing phone calls rather than email phishing.
The Vishing Tactic: A Growing Cybersecurity Threat
Vishing, a portmanteau of “voice” and “phishing,” is an underestimated cybersecurity risk. Over 90 percent of cyberattacks begin with phishing, making it one of the most common attack vectors. Vishing is particularly effective, with a 2022 IBM report revealing that targeted phishing attacks involving phone calls are three times more successful than those that don’t.
How Vishing Works: The Power of Impersonation
The success of vishing attacks hinges on the attacker’s understanding of the system, company, or employee to execute a convincing impersonation. Publicly available information, such as LinkedIn profiles, facilitates these attacks, and organizations with lax verification processes are particularly vulnerable.
Protecting Yourself: Vigilance and Precautions
To protect yourself, be cautious about sharing personal information and practice careful information management. Use unique passwords for different accounts and employ multi-factor authentication. In the unfortunate event of a data breach, regularly monitor your financial accounts, consider freezing your credit, and exercise vigilance against suspicious emails and requests.
MGM Resorts’ Response: Addressing the Fallout
While MGM Resorts is offering identity protection and credit monitoring to affected customers, it’s advisable to take personal steps to safeguard your data and financial well-being. Cyber threats are evolving, and proactive measures are essential to stay secure in the digital age.
Business Cybersecurity Best Practices: Lessons from MGM’s Experience
In the wake of MGM Resorts’ recent cybersecurity incident, there’s a growing need for businesses to safeguard their data and privacy in our increasingly digital world. To protect your business and prevent similar incidents, consider the following measures:
1. Strengthen Password Security: Employ strong, unique passwords for each business account. Utilize a trusted password manager to generate and securely store complex passwords, and regularly update and change passwords to reduce the risk of unauthorized access.
2. Implement Multi-Factor Authentication (MFA): Enhance security by enabling MFA wherever feasible. MFA requires users to provide a secondary verification in addition to their passwords, making it significantly harder for cybercriminals to breach your business accounts.
3. Guard Against Personal Information Exposure: Review your business’s online presence and take measures to limit the sharing of sensitive data on social media and websites. This includes restricting access to critical information such as birthdates, addresses, and contact details to deter cyberattacks.
4. Stay Informed and Alert: Educate your employees about common cyber threats, including phishing, vishing, and social engineering. Encourage caution when interacting with unsolicited messages or calls, emphasizing the need to verify the sender’s legitimacy before sharing information.
5. Monitor Financial Transactions: Continuously scrutinize your company’s bank and credit card statements for any unauthorized or suspicious activities. In case of any discrepancies, promptly report them to your financial institution to prevent financial losses.
6. Consider Credit Freezing: Explore the option of freezing your business’s credit with credit reporting agencies to restrict access to credit reports, effectively thwarting identity theft attempts.
7. Stay Informed About Data Breaches: Sign up for breach notifications from companies your business engages with. Additionally, make use of credit monitoring services offered by affected businesses to stay informed about potential identity theft risks.
8. Practice Robust Email Security: Caution your employees against opening emails from unknown sources or containing suspicious links or attachments. Emphasize the importance of not clicking on links or downloading files unless the source is verified.
Preventative Measures: Cybersecurity Insurance
Cyber insurance, also called cyber security or cyber liability insurance, covers businesses against losses resulting from data breaches. This form of insurance primarily applies to businesses that run secure networks as part of their daily operations.
A cyber attack on a business without cyber insurance may result in legal fees, compromised data, and the loss of computer systems. 42% of small businesses have experienced a cyberattack within the past year and 53% have experienced multiple data breaches.
What Does Cyber Insurance Cover?
Coverage varies depending on the policy. However, cyber insurance generally covers:
- Fines, legal fees, and penalties
- Credit and fraud monitoring services
- Finding and addressing the security defect
- Notifying customers of a data breach
- Restoring the personal identities of affected customers
- Recovering compromised data
- Repairing damaged computer systems
Have More Questions About Cyber Insurance?
Apex Risk & Insurance Services was specifically founded to fill the service and consultative gap left by agency consolidations in the insurance marketplace. These consolidations have left customers who are used to a boutique service approach with no personal connection to their team.
Apex brings the high-touch service proposition back to the San Diego business community, and beyond
Read on to learn more about how to protect your business from ransomware.