Analyzing MGM and Caesars Cyberattacks: Lessons in Cybersecurity Preparedness

In the wake of recent cyberattacks targeting industry giants MGM Resorts and Caesars Entertainment, it’s imperative to examine both the commonalities and disparities in these incidents. These high-profile breaches offer valuable insights into the ever-evolving realm of cybersecurity threats within the gaming industry. Furthermore, they underscore the importance of proactive cybersecurity measures and preparedness. To be fair to both Caesars and MGM, this is a outside looking in assessment with publicly available information. Running large IT organizations in gaming is not simple though we will look at many of the publicly available issues and lessons.

General Considerations

Before delving into the specifics of these cyberattacks, it’s important to emphasize the significance of proactive cybersecurity measures. Post-breach recovery efforts are undoubtedly crucial, but it’s far from an ideal starting point. Proper preparation, stringent defenses, and compartmentalized systems are essential. For instance, having segregated gaming environments from administrative ones can ensure the continuity of operations even during restoration and system rebuilding, as demonstrated in one organization’s systems that I designed. A design concept that MGM appears not to have followed.

A robust information security director understands the value of saying “no” when necessary, prioritizing system compartmentalization over new customer service initiatives or cost-cutting measures. The expenses associated with recovery far outweigh any upfront investments.

The idea of a zero-trust environment also comes into play. While sometimes productivity is impacted and slows with the need to authenticate into systems more than we would like, the hit to productivity is far less than a cyber incidence that goes viral with one administrative login breach.

Caesars Entertainment’s Issue and Disclosure

Caesars Entertainment, recognized for its ownership of iconic properties like Caesars Palace, publicly disclosed a social engineering attack through a September 14 8-K filing. This breach compromised their loyalty program database, including sensitive data such as driver’s license and social security numbers, with the attack dating back to at least September 7. Although the responsible group remained unclaimed at the time, subsequent reports suggested Scattered Spider and Alphv as potential culprits. Notably, Caesars appeared to experience relatively minimal disruption compared to MGM.

MGM Resorts Cybersecurity Issue

In a significant cybersecurity incident that rocked MGM Resorts, an affiliate of the BlackCat ransomware group, also known as APLHV, emerged as the perpetrator behind the attack. This breach went beyond mere disruption, compelling the company to shut down its IT systems temporarily.

Attack Details

The BlackCat ransomware group claimed responsibility for infiltrating MGM’s infrastructure. Disturbingly, this infiltration had occurred days before the breach was detected. During this window, the attackers managed to encrypt more than 100 ESXi hypervisors, a critical component of MGM’s IT infrastructure, especially in the realm of virtualization.

Data Exfiltration and Ongoing Threat

Besides encryption, the hackers exfiltrated sensitive data from MGM’s network and maintained access to certain parts of their infrastructure. This lingering access left the organization exposed to potential further attacks, highlighting the persistence and adaptability of modern cyber threats.

The Scattered Spider Connection

One of the groups named in this cyberattack has been identified as Scattered Spider by cybersecurity experts. Their modus operandi involves a range of social engineering tactics, such as impersonating help desk personnel and conducting SIM swap attacks. These tactics are used to gain initial access to corporate networks. Once inside, they employ various techniques to escalate their privileges and move laterally within the network.

MGM’s Response and Ransomware Deployment

One key aspect of this breach was MGM’s response. While the company took steps to disconnect certain servers and contain the incident, the hackers persisted. They maintained super administrator privileges on MGM’s Okta identity and access management environment and Global Administrator permissions for the company’s Azure tenant. Despite these actions from MGM, the attackers successfully launched ransomware attacks against over 100 ESXi hypervisors on September 11th.

Data Compromise and Ongoing Threat

The attackers have not disclosed the full extent of the data they exfiltrated, leaving MGM uncertain about the potential compromise of sensitive information. To exert additional pressure on the company, BlackCat threatened to use their ongoing access to MGM’s infrastructure to carry out further attacks.

As of now, there has been no confirmation from MGM regarding the ransomware group’s claims, and the company has not responded to inquiries. This incident underscores the evolving and persistent nature of cyber threats and the critical importance of robust cybersecurity measures and incident response strategies for organizations in today’s digital landscape. MGM’s experience serves as a stark reminder of the necessity for businesses to remain vigilant, prepared, and proactive in the face of evolving cyber threats.

Differing Outcomes and Insights

While both cyberattacks shared the commonality of targeting casino industry leaders through social engineering tactics, the outcomes were starkly dissimilar. Caesars faced fewer operational disruptions and hinted at potential ransom payment, aligning with prior reports. Conversely, MGM grappled with extensive disturbances, with the question of ransom payment remaining unanswered.

These incidents underscore the diverse nature of cyber threats and their potential impact on organizations. The gaming industry, in particular, is a prime target due to its possession of valuable customer data, making it an attractive prospect for cybercriminals. To navigate this evolving threat landscape, organizations must comprehend the nuances of each attack and leverage these insights to construct robust and adaptive cybersecurity strategies.

The ongoing threat of cyberattacks necessitates perpetual vigilance, stringent security protocols, and collaborative efforts among industry stakeholders. These proactive measures are imperative for safeguarding sensitive data and ensuring the resilience of operational infrastructure.

Navigating the Legal Landscape of Cybersecurity Incidents

In an age where data breaches and cyberattacks have become an unfortunate norm, corporations find themselves grappling not only with technical challenges but also with complex legal obligations. As these recent events involving industry titans MGM Resorts and Caesars Entertainment have shown, understanding and effectively managing the legal aftermath of a cybersecurity breach is critical for any organization. Class action court filings are almost certain to follow. Considering all this, here are a few items that should be addressed by executives and boards of all companies.

Data Breach Notification Laws: Compliance Is Not Optional

One of the foremost considerations in the wake of a cybersecurity breach is compliance with data breach notification laws. Across numerous jurisdictions, companies are legally mandated to promptly notify both affected individuals and relevant authorities when a data breach occurs. These laws are stringent, often specifying strict timelines for reporting breaches. Failure to adhere to these timelines can result in severe penalties. It is incumbent upon businesses to familiarize themselves with the notification requirements of the regions in which they operate, given the global nature of many cyber incidents.

Regulatory Compliance: Industry-Specific Regulations

For companies operating in regulated sectors such as healthcare, finance, or gaming, compliance with industry-specific cybersecurity regulations is non-negotiable. These regulations define rigorous standards for data protection and incident response. Moreover, laws such as the GDPR and CCPA demand stringent data protection measures and impose substantial fines for non-compliance. Ignoring these regulations can lead to not only legal repercussions but also reputational damage.

Civil Liability: Facing Legal Consequences

Civil liability is a significant concern following a cyber breach. Breach victims have the right to initiate class-action lawsuits against the responsible companies, seeking damages stemming from the breach. Companies must be prepared to defend themselves in such cases, and demonstrating diligence in cybersecurity measures is vital for mitigating negligence claims.

Paying Ransoms: Legal and Ethical Quandaries

The issue of paying ransoms to cybercriminals is fraught with legal and ethical dilemmas. The legality of such payments varies across jurisdictions, with some regions strictly prohibiting them while others lack clear regulations. Companies must also grapple with the ethical implications, as paying ransoms can inadvertently incentivize further cyberattacks.

Cyber Insurance: Know Your Coverage and Reporting Obligations

Organizations with cyber insurance policies must meticulously examine the terms and conditions to comprehend the extent of their coverage in the event of a breach. Not all policies provide the same level of protection, and misconceptions about coverage can be costly. Additionally, insurers often impose specific reporting requirements that companies must strictly follow when filing claims. Failure to meet these requirements can lead to disputes over coverage.

Disclaimer: Consult Legal and Professional Resources

It is imperative to emphasize that the complexities of cybersecurity legalities require thorough consultation with legal and professional experts. This article offers a broad overview but should not be considered a substitute for professional advice tailored to specific circumstances. When faced with a cybersecurity incident, businesses should promptly engage with legal counsel and cybersecurity experts to navigate the intricate legal landscape effectively.

In an era where the fallout from cybersecurity incidents can be financially and reputationally devastating, preparedness and compliance with legal obligations are not just prudent choices but essential business imperatives.

Leave a Reply