Image Credits: K.M. Cannon / Las Vegas Review-Journal / Tribune News Service / Getty Images
The hospitality sector has been rattled by yet another wave of high-profile cybersecurity attacks, as industry giants Caesars Entertainment and MGM Resorts came under fire this month. The data breaches appear to involve the theft of customer databases and have rendered MGM's IT systems inoperable for days. What can we learn from these incidents, and what should the industry do to protect itself better in the future?
Then Fall Caesars
Caesars Entertainment confirmed the theft of its customer database, containing sensitive information like driver’s license and social security numbers. The breach was carried out through a social engineering attack on an outsourced IT support vendor. Upon discovery, Caesars launched an investigation, sought assistance from leading cybersecurity firms, and reported the breach to law enforcement agencies.
Interestingly, the SEC filing by Caesars hinted at extortion attempts, raising questions about whether ransom payments were made to secure the compromised data. Multiple reports suggest that a sum of around $15 million was paid to meet the extortionists' demands, although Caesars has not confirmed this.
Scattered Spider Entangles MGM
Meanwhile, MGM Resorts faces its fourth day of IT system outage. The hacking group "Scattered Spider" reportedly took just a ten-minute call with the help desk to gain unauthorized access to MGM's systems. Although MGM is still investigating the extent of the damage, their entire network seems to be compromised.
The group initially had more ambitious plans, aiming to rig slot machines for huge payouts. However, these plans were allegedly abandoned for more traditional cybercriminal tactics, such as ransomware deployment.
The Dangers of Overlooking the Basics
Both breaches serve as poignant reminders of the vulnerabilities that exist when even basic cybersecurity protocols are not adequately enforced. Social engineering attacks, like the ones carried out on MGM and Caesars, exploit human weaknesses rather than technological ones. Employees need to be trained adequately to recognize and respond to such threats effectively.
The Cost of Negligence
The damage for both companies extends beyond the immediate financial loss due to extortion payments or operational downtime. They now face potential lawsuits, regulatory fines, and a significant loss of customer trust, which may have long-lasting impacts on their market share and profitability.
Lessons and Recommendations
1. Third-party Risk Management: The Caesars attack reveals the risks involved when outsourcing IT services. Companies need to conduct thorough risk assessments of their vendors.
2. Employee Training: All employees, not just those in IT, should be trained to recognize social engineering attacks and phishing scams.
3. Multi-factor Authentication (MFA): A more secure verification process could have potentially thwarted the ten-minute help desk call attack against MGM.
4. Incident Response Plan: A pre-established action plan is crucial to manage the situation effectively, should a breach occur.
5. Cyber Insurance: It's not just about preventing an attack; companies must also prepare for the financial and operational fallout. Cyber insurance can mitigate these costs.
Conclusion
The recent cybersecurity attacks on Caesars and MGM Resorts serve as a harsh reminder that no organization is safe from the burgeoning threats of the digital age. Companies, especially in sectors like hospitality, must fortify their cybersecurity defenses to protect their data and their reputation. This is not just about deploying the most advanced tools but involves fostering a culture of security awareness from the top down.