Guests typically visit the MGM Resorts in Vegas to relax and unwind. But after the company detected a cyberattack last month on September 10, visitors had an exceptionally unsatisfactory experience.
With their computers shut down, MGM had to resort to operating manually – leading to ten days of pure chaos. Customers at the casino hotel spent hours waiting in long check-in lines and received handwritten receipts and physical room keys. Their website experienced intermittent outages – and even some slot machines weren’t working.
This large-scale attack went beyond this one business, affecting another Vegas institution, Caesars Entertainment, and other manufacturing, retail, and technology companies.
You might be wondering…”Why should these high-profile ransomware attacks matter to me?”
Ransomware attacks are on the rise. According to recent Microsoft research, since September 2022, human-operated ransomware attacks increased by more than 200%. Not to mention, data shows that in 2021, small businesses experienced 70% of ransomware attacks.
The MGM resort hack is just one story that highlights how your business needs to bolster your cybersecurity defenses. No one is safe if such a well-resourced company could experience data exfiltration due to social engineering. This article will dive deeper into the MGM hack, drawing lessons for how your business can address security gaps and engage in more effective incident response planning.
Social engineering is a common tactic that hackers use to execute a data breach. Rather than using advanced technology to infiltrate your IT infrastructure, cybercriminals psychologically manipulate users into disclosing sensitive data or performing a specific action that leaves their network’s door open for access to restricted areas.
It might involve deceiving users into thinking a fraudulent message comes from a trusted source, offering an enticing download that contains malicious software, or impersonating a co-worker. Scammers often leverage emotions like urgency to encourage users to take quick and careless action in their haste to address a fake emergency. In recent years, an identity-driven Zero Trust approach to cybersecurity has grown in popularity for combating social engineering attacks. Businesses are realizing that to mitigate human error, they need to create multiple layers of defense to detect and respond to network intruders.
During the recent system failures at MGM, the hacking group Scattered Spider used various social engineering tactics to perpetrate the hack.
This group is known for conducting detailed internet research on an organization to find an ideal employee target. Then, they build up that target’s profile, leveraging social media content to weaponize the information.
In this case, the hackers called the company helpdesk, posing as an MGM employee who lost their login credentials. Using information gleaned from the employee’s LinkedIn profile, they persuaded the company’s frontline support to provide them access to MGM’s systems. Within ten minutes, the hackers disarmed the company’s Multifactor Authentication protections.
After wreaking havoc over several days, the hackers made a ransom request. Using tools an affiliated ransomware gang provided, they harvested information from the company’s most sensitive data repositories to extort MGM. Although there isn’t any evidence that MGM paid the ransom, reports say Caesars paid about $15 million.
This scenario is a perfect example of a spear phishing attack – a more personalized and targeted attack where they create a customized message for a specific business. In this scenario, the attackers used a common spear phishing technique known as “pretexting” – where the hackers fabricate a scenario to gain access to information or resources.
Most cyberattacks have far-reaching negative impacts with profound business, financial, and reputational implications. Although it’s still in the early days post-recovery, it’s already clear that the MGM report attack is no exception.
In a recent regulatory filing, MGM Resorts estimates that this recent hack will cost the company more than $100 million – thanks to the costs associated with revenue loss, decrease in market value due to falling stock prices, and cleaning up the mess.
But the consequences transcend financial loss, also affecting the business’s reputation in the community.
Although they claim that customer credit card and bank account numbers weren’t affected, they have acknowledged that the attack led to other compromised customer information: names, social security numbers, driver’s license numbers, and passport numbers, among other sensitive details.
Want to know what you should do to prevent a ransomware attack? Or what to do if you experience one? Check out our guide to recovery from ransomware.
In light of the MGM Resorts breach and Scattered Spider’s advanced social engineering tactics, here’s the most important lesson your business needs to take: you need to prioritize end-user awareness training and encourage a security-minded culture in your cybersecurity strategy.
You need more than relying on cutting-edge technical security measures to keep your data safe. You must also arm your employees with knowledge and skills to identify social engineering scenarios – whether via email or, in this instance, a telephone call. They need to feel responsible for acting as human firewalls and actively engaging in data protection.
With end-user awareness training, you will empower employees to recognize and thwart evolving cyber threats. Moreover, they will understand the importance of staying vigilant in an ever-evolving threat landscape. In response, they’ll be likelier to engage in safer browsing habits, be more cautious when providing corporate information, and reduce the likelihood of a cyberattack from successfully breaching your systems.
Dive deeper into the benefits of user awareness training.
For all businesses, no matter the size, the cyber attack on MGM Resorts should be a stark reminder of the importance of boosting your digital resilience. The situation should also highlight the need for a cybersecurity strategy that blends technical solutions with an engaged security culture.
When you work with PC Corp to address your IT needs, we will help empower your employees to serve as a frontline defense against cyber threats. Together, we will make data security a shared responsibility across the organization.
Connect with us to discuss how we can implement user awareness training to create a more secure digital future for your business.