The cyberattacks on MGM Resorts International and Caesars Entertainment in September 2023 had significant operational, reputational [1], and financial consequences [1].

Description

MGM Resorts International reported that the attack resulted in a $100 million impact on its third-quarter results and prompted the company to shut down its systems to contain the damage [3]. Additionally, they expect to incur a one-time cost of around $10 million [3]. This is not the first cybersecurity incident for MGM [3], as they experienced a significant data breach in February 2020 [3], exposing the personal information of over 10.6 million guests [3]. Hackers obtained an MGM employee’s data from LinkedIn and used it to impersonate the employee [1], gaining access to their sign-in credentials [1]. Consequently, sensitive information such as names [2], addresses [2], phone numbers [2], email addresses [2], dates of birth [2], driver’s license numbers [2], and passport numbers were exposed. Allegations suggest that MGM Resorts failed to protect the personal information of its customers and loyalty program members [2], did not encrypt or adequately protect this information [2], did not warn affected individuals about its security practices [2], did not secure its hardware against intrusions [2], and did not provide timely notice of the breach [2]. This breach highlights the vulnerability of relying on legacy sign-in credentials like passwords and SMS one-time passcodes [1], which can be easily exploited and reused [1]. The recurrence of such incidents raises questions about whether lessons have been learned [3].

Conclusion

The cyberattacks on MGM Resorts International and Caesars Entertainment had significant consequences [1], including financial losses and reputational damage. MGM Resorts International alone reported a $100 million impact on its third-quarter results and incurred a one-time cost of around $10 million. The breach also exposed sensitive personal information of over 10.6 million guests [3], raising concerns about MGM Resorts’ security practices. The use of legacy sign-in credentials like passwords and SMS one-time passcodes was exploited [1], highlighting the need for stronger authentication methods. The recurrence of such incidents raises questions about the effectiveness of lessons learned and the need for improved cybersecurity measures in the future.

References

[1] https://www.darkreading.com/endpoint/mgm-and-caesars-attacks-highlight-social-engineering-risks
[2] https://news.bloomberglaw.com/litigation/mgm-resorts-hit-with-class-action-over-september-data-breach
[3] https://www.sharevault.com/blog/it-security/the-mgm-breach