October 31, 2023

How did the MGM Cyberattack Happen

In September 2023, Metro-Goldwyn-Mayer (MGM) Resorts fell victim to a cyberattack after hackers impersonated an employee via vishing (voice phishing). In a call to the company’s IT desk, hackers used employee information found on LinkedIn to obtain a one-time password and reset login credentials.

Once in the system, the hackers gained access to several admin groups and deployed ransomware. The hack and resulting data breach impacted many operations within the company, from hotel room access keys to casino payouts. In the days that followed, personally identifiable information of employees and customers, including Social Security numbers and passport numbers, was obtained by the group.

The impact of the cyberattack is not fully known, but in an October 2023 regulatory filing, MGM Resorts states that the attack cost the company at least $100 million in lost business and disruption and another $10 million in “one-time expenses related to the cybersecurity issue.” MGM also stated it believes its cybersecurity insurance will cover these costs, but, as of now, the full scope of the impacts has yet to be determined¹.

In addition, MGM Resorts is facing a class action litigation filed in the U.S. District Court of Nevada alleging that the company was negligent and failed to protect the personal data of customers². This is because Okta, an identity and access management vendor, had issued prior warnings that it had detected social engineering attacks, yet no changes were made. 

Lessons Learned from the MGM Data Breach

Numerous insights can be gained from the MGM cyberattack. C-Suite executives and cybersecurity experts can apply these takeaways to safeguard their organizations. 

Understanding vishing and other cybersecurity threats

Vishing utilizes social engineering techniques to obtain confidential information from employees. With vishing, cybercriminals use telephone calls to trick individuals into revealing sensitive information over the phone. This is just one example of how attacks happen in the evolving threat landscape. According to the IBM Security 2023 Cost of a Data Breach Report, phishing and stolen or compromised credentials were the two most common initial attack vectors in 2023³. As threats become more sophisticated, staying current on these trends and adjusting cybersecurity strategies accordingly is vital.

Prioritizing employee cybersecurity training

Employees serve as the first line of defense for business cybersecurity. Cybersecurity training for all employees, regardless of access level, is critical. Regular training teaches staff to recognize potential threats, from phone and email to physical security, and how to alert the appropriate team members.

Having cybersecurity insurance

This cybersecurity disaster serves as a reminder that any system can be foiled. Cyber insurance helps cover financial losses and bring in attorneys to handle lawsuits like those MGM is facing.

The Impact of Cyberattacks on Businesses

No matter the company’s size, a cyberattack or data breach can have detrimental results and lingering effects.

Financial Loss

Recovering from a cyberattack can be costly. From additional IT expenses incurred to loss of profits as the attacks disrupt operations, millions of dollars are lost because of data breaches every year. In 2023, the average cost of a data breach reached an all-time high of $4.45 million³. Small and medium-sized businesses (SMBs) often lack the financial cushion to absorb these expenses. 

Operation Disruption

Cyberattacks disrupt day-to-day operations, causing business downtime and productivity losses. Lost or corrupted data can hurt productivity as employees may lose customer records or intellectual property. 

Reputation Damage

When a data breach occurs, some customers may no longer feel comfortable trusting the business with their personal information. This lack of trust can lead to a loss of clientele, and negative media coverage surrounding the event can deter future customers.

Legal and Regulatory Ramifications

Any non-compliance with data protection regulations can result in fines and legal consequences. This is a concern for businesses of all sizes, as data protection laws and regulations are continuing to evolve. As seen in the MGM cyberattack, customers affected by data breaches have the legal right to pursue class-action lawsuits against responsible companies.

How SMBs can prepare for cyberattacks

SMB cybersecurity challenges often come from a lack of resources and expertise to fend off cyberattacks effectively. When crafting a comprehensive cybersecurity strategy and data breach prevention plan, there are several best practices to consider to bolster your defenses and safeguard your digital assets.

1. Cybersecurity Software: Investing in basic cybersecurity software, including implementing firewalls, antivirus software, and performing regular software updates, is the first step to protecting your assets. As cybersecurity threats advance, so do operating systems. New updates often include new security features to protect your data.
2. Employee Training: Educate staff on cybersecurity best practices, including recognizing phishing attempts and maintaining strong passwords. Knowing how to spot an attempted attack will help keep your organization safe. Regular employee cybersecurity training will keep cybersecurity at the front of employees’ minds and educate them on the evolving cyber landscape.
3. Outsourcing: Consider outsourcing cybersecurity services to professionals who can monitor threats and respond swiftly. Maintaining a quick response time to threats will help keep your business and information safe.
4. Incident Response Planning: The aftermath of a cybersecurity incident or data breach shouldn’t leave your team asking, “What’s next?” Having a plan to identify, contain, and mitigate the effects of the attack allows organizations to recover swiftly and resume operations. It also enables teams to act quickly and confidently when threats arise. 
5. Conduct a cybersecurity assessment: Conduct regular assessments to identify vulnerabilities and areas for improvement. Adapting your strategy to address these potential weaknesses will enhance your company’s cybersecurity posture. 
6. Learn from others: Having a collaborative approach to cybersecurity can provide valuable insights. Consider participating in industry-specific information-sharing initiatives and utilizing government resources for cybersecurity guidance.

The MGM cyberattack is a powerful reminder that no business, regardless of size, is safe from cyber threats. As the threat landscape evolves, companies must adapt their cybersecurity measures and prepare for potential breaches.

How Can Dewpoint Help?

Whether you’re starting your digital workspace journey or want to ensure you’re protected against threats, Dewpoint’s experts are here to guide you. We can help you baseline your security posture with an assessment, evaluate cloud options based on your business needs, or develop a disaster recovery plan to protect your organization from data loss. Chat with one of our experts today.

Sources:

1. Securities and Exchange Commission –  https://www.sec.gov/ix?doc=/Archives/edgar/data/789570/000119312523251667/d461062d8k.htm
2. Class Action Complaint – https://www.documentcloud.org/documents/23990705-mgmsuit
3. IBM – https://www.ibm.com/downloads/cas/E3G5JMBP