MGM Resorts International employs over 81,000 people and earned $16.164 billion in revenue last year. The exact number isn’t public, but in 2021, MGM spent around $400 million on Information Technology (IT). $60-$70 million of that money was spent on cyber security.
On September 11, 2023, the casino and hotel operator was hit by a major cyberattack. In the first 30 days, MGM reported that the attack cost them over $100 million.
It’s important to note that MGM did not pay the ransom. The $100 million includes loss of revenue, consulting services, legal fees, and other expenses related to the cyberattack.
So, was it a genius hacker that overcame their multimillion-dollar defenses? A nation-state actor? A failure to patch a critical system?
Nope, it all started with a ten-minute phone call.
A group of hackers called Scattered Spider claimed responsibility for the attack. They are notorious for using social engineering techniques to deceive company employees into granting access to their networks. ALPHV, also known as Black Cat, is a well-known ransomware gang that operates underneath Scattered Spider.
For MGM, Scattered Spider used LinkedIn to find an actual employee who worked in the company’s IT department. Their plan was to call the MGM help desk and request re-access to their account by pretending that they had been locked out.
The cyber attack had a major effect on MGM’s operations, causing ATMs, slot machines, digital room keys, and other digital payment systems to go offline. Additionally, the company’s corporate email, restaurant reservation, and hotel booking systems all remained inaccessible. It is important to note that MGM owns over 30 international hotels, resorts, and gaming venues.
If a respected billion-dollar company can be taken down like that, what are your chances to protect your organization? With regular cyber security training, it’s pretty good.
Cyber security training is the most cost-effective defense any organization can do. As the MGM example shows, cyber security training for your IT people is especially critical. IT people know a lot about technology but often have gaps in soft skills, making them especially vulnerable to social engineering.
At Commonwealth Sentinel, we offer a wide range of cyber security training programs for organizations of any size. To schedule a free consultation, click here or contact us at (502) 320-9885.
On July 22, 2024, CYBERSCOOP reported that police had arrested a 17-year-old in connection with the MGM hack. READ MORE>>>