October 31, 2023
In September 2023, Metro-Goldwyn-Mayer (MGM) Resorts fell victim to a cyberattack after hackers impersonated an employee via vishing (voice phishing). In a call to the company’s IT desk, hackers used employee information found on LinkedIn to obtain a one-time password and reset login credentials.
Once in the system, the hackers gained access to several admin groups and deployed ransomware. The hack and resulting data breach impacted many operations within the company, from hotel room access keys to casino payouts. In the days that followed, personally identifiable information of employees and customers, including Social Security numbers and passport numbers, was obtained by the group.
The impact of the cyberattack is not fully known, but in an October 2023 regulatory filing, MGM Resorts states that the attack cost the company at least $100 million in lost business and disruption and another $10 million in “one-time expenses related to the cybersecurity issue.” MGM also stated it believes its cybersecurity insurance will cover these costs, but, as of now, the full scope of the impacts has yet to be determined1.
In addition, MGM Resorts is facing a class action litigation filed in the U.S. District Court of Nevada alleging that the company was negligent and failed to protect the personal data of customers2. This is because Okta, an identity and access management vendor, had issued prior warnings that it had detected social engineering attacks, yet no changes were made.
Numerous insights can be gained from the MGM cyberattack. C-Suite executives and cybersecurity experts can apply these takeaways to safeguard their organizations.
Vishing utilizes social engineering techniques to obtain confidential information from employees. With vishing, cybercriminals use telephone calls to trick individuals into revealing sensitive information over the phone. This is just one example of how attacks happen in the evolving threat landscape. According to the IBM Security 2023 Cost of a Data Breach Report, phishing and stolen or compromised credentials were the two most common initial attack vectors in 20233. As threats become more sophisticated, staying current on these trends and adjusting cybersecurity strategies accordingly is vital.
Employees serve as the first line of defense for business cybersecurity. Cybersecurity training for all employees, regardless of access level, is critical. Regular training teaches staff to recognize potential threats, from phone and email to physical security, and how to alert the appropriate team members.
This cybersecurity disaster serves as a reminder that any system can be foiled. Cyber insurance helps cover financial losses and bring in attorneys to handle lawsuits like those MGM is facing.
No matter the company’s size, a cyberattack or data breach can have detrimental results and lingering effects.
Recovering from a cyberattack can be costly. From additional IT expenses incurred to loss of profits as the attacks disrupt operations, millions of dollars are lost because of data breaches every year. In 2023, the average cost of a data breach reached an all-time high of $4.45 million3. Small and medium-sized businesses (SMBs) often lack the financial cushion to absorb these expenses.
Cyberattacks disrupt day-to-day operations, causing business downtime and productivity losses. Lost or corrupted data can hurt productivity as employees may lose customer records or intellectual property.
When a data breach occurs, some customers may no longer feel comfortable trusting the business with their personal information. This lack of trust can lead to a loss of clientele, and negative media coverage surrounding the event can deter future customers.
Any non-compliance with data protection regulations can result in fines and legal consequences. This is a concern for businesses of all sizes, as data protection laws and regulations are continuing to evolve. As seen in the MGM cyberattack, customers affected by data breaches have the legal right to pursue class-action lawsuits against responsible companies.
SMB cybersecurity challenges often come from a lack of resources and expertise to fend off cyberattacks effectively. When crafting a comprehensive cybersecurity strategy and data breach prevention plan, there are several best practices to consider to bolster your defenses and safeguard your digital assets.
The MGM cyberattack is a powerful reminder that no business, regardless of size, is safe from cyber threats. As the threat landscape evolves, companies must adapt their cybersecurity measures and prepare for potential breaches.
Whether you’re starting your digital workspace journey or want to ensure you’re protected against threats, Dewpoint’s experts are here to guide you. We can help you baseline your security posture with an assessment, evaluate cloud options based on your business needs, or develop a disaster recovery plan to protect your organization from data loss. Chat with one of our experts today.