MGM and Caesars made headlines last month when they both fell victim to cyberattacks.
And what happened should make operators of Massachusetts casinos rethink their approach to protecting their data, according to a cybersecurity expert.
PlayMA spoke with John Young, one of the country’s top minds in the cybersecurity industry. Young spent more than 30 years working for IBM before starting his own company, Neutralize AI. He’s written books on the subject and also speaks with companies, offering town halls to spread awareness on the issue.
“I think every casino, every business in Las Vegas, probably took a look at what went on and questioned what happened,” Young told PlayMA. “They’re reexamining everything from top to bottom, since it’s tens of millions of dollars.”
What happened with MGM and Caesars?
Cybercriminals hacked into both MGM and Caesars in September, with the hackers demanding millions to return control to the operators.
Aside from the data breach, it was the physical issues at MGM’s locations that sparked headlines. MGM customers were unable to use slot machines, elevators, check into their stays — even open doors — because everything is on the operator’s data network.
But it wasn’t just the Las Vegas locations that experienced pain from the attacks.
MGM Springfield was unable to take reservations. The customers’ use of the ATMs was limited and credit cards were not accepted. The casino’s website wasn’t working either, as it was down for nearly a week.
As of now, it appears everything is back to normal.
The MGM and Caesars cyberhack was a result of social engineering
Since the attack, some information emerged on just how it happened.
“No organization is going to give you all the details, because that is going to expose more vulnerabilities,” Young said. “But it was the oldest scam in the book.”
These attacks were the result of social engineering — one person deceiving another to gain access to information.
In the case of MGM’s cyberattack, the hackers allegedly combed through LinkedIn and found the profile of one employee. From there, they impersonated the employee over the phone with the company’s help desk.
“LinkedIn is basically a treasure trove of information for a hacker or a scammer on how to pull off something like the ransomware scheme that happened at MGM and Caesars,” Young said.
Young noted that most people using LinkedIn are in job-hunting mode. Those people will list the specific software and programs they use as part of their experience for potential employers. But hackers can see this information, too, and it gives them a ballpark idea of what to expect when they’re in the system.
Figuring it truly was the person calling, the help desk ended up giving the hackers credentials to the system, and they subsequently took control.
Casino operators must utilize systems of ‘least privlege’ to boost cybersecurity
There’s no shortage of fingers to point when it comes to the blame for these attacks. For instance, MGM uses Okta, a cybersecurity company, for its protection. According to a Bloomberg report, one Okta executive didn’t take the blame, rather pointing the finger at MGM’s help desk, who unknowingly gave the hackers access to the system.
But once the hackers entered the system, data shouldn’t have been accessable as it was, according to Young.
“They’re not going to talk about (that),” he said.
Young described an ideal system that utilizes rules of “least privilege.” In short, not every employee has the same access to the system.
“They didn’t have (access levels) coordinated off or sectioned off in a way that they couldn’t get through it to another area,” he said. “In this case, they were just flying through everything. Once they got to the top level, they were top level for everything, from what I’ve read.”
Basically, employees in a system like this have just enough access to do their daily jobs or the “least amount of access necessary.”
Young said the cyberattack wouldn’t have gotten as far if the casinos had had something like this in place.
“It should have been compartmentalized. They should have been able to get to one area but not to another. Maybe they had everything so integrated that they didn’t realize they had a real problem if someone got higher-level access to take over these areas.”
Should casino operators pay the ransom if they’re hacked?
It truly depends. There is no clear-cut right or wrong way to handle a situation quite like this once it happens.
“It’s the pain level you can experience,” Young said. “How confident are you that you can shut down the exploit and get everything back online and take control?”
MGM and Caesars handled their situations differently.
Caesars ended up paying the hackers $15 million. According to CNBC, the hackers originally wanted $30 million.
MGM did not pay the hackers. But in turn, it reduced its daily revenue and cash flow by 10-20%, according to Forbes. The operator’s market cap decreased by $2 billion.
“It’s a real black eye for any organization, but especially casinos,” Young said. “A lot of it is reputation. That’s your game.”
According to IBM, the cost of a data breach is up 15% from just three years ago. The average data breach in 2023 costs companies $4.45 million.
What data is at risk when a casino operator is hacked?
Casinos have a reputation for security. After all, they handle your money and are responsible for keeping it safe and paying out winners. But that’s not all that is at risk when hackers target an operator.
Casino operators store a plethora of information within their databases. It comes in the form of customer information and employee specifics, including social security and bank account numbers. There’s a chance that hackers could also access important information from vendors the casino works with and different financial institutions, according to Young.
The result? Individual people — not just the organization — can be fighting these problems for years.
“They’re not going to tell you everything that happened,” he said. “They don’t want to reveal it. But the damage that this can cause runs not only into the tens of millions of dollars, but customer reputation. It can devastate their stock price, their market value. Are people as willing to put out their information knowing they’re breached? Probably not.”
Awareness is one of the biggest keys to cybersecurity
A company can have the best technology out there when it comes to stopping these attacks, but all it takes is one employee to let their guard down before everything collapses.
“It’s all awareness,” Young said. “Someone is letting the wolf into the henhouse.”
Young likened the issue surrounding awareness as to how hitchhiking became less and less popular over the years due to safety. Movies like “Death of Hitch-Hikers” came out, and it had a Jaws-like effect. People became afraid to pick up hitchhikers after doing so without a second thought.
These casino giants, who have some of the best security measures in place, still let this cyberattack take place. But going forwad, this could (and should) make all employees think twice.
“It’s one of those things where awareness is 90% of the problem. They may have had all these great networking solutions and threw hardware at it and their IT people were super trained, but at the lowest level, if there’s a social engineering break in and there’s a weakness in the architecture that’s exploitable, then you get the result that’s here.”
Young stressed that all casino employees need to be aware of best cybersecurity practices. Especially after what happened to MGM and Caesars.
“They need to be a good cybersecurity-aware citizen because their own jobs depend on it. When the bottom line gets hit, budgets get cut. And when budgets get cut, headcount gets cut. Their own job or the funding for their equipment – whatever it may be – is at risk.”
When it comes to online products, both MGM and Caesars maintained the operations of their mobile betting apps — so BetMGM Massachusetts and Caesars Sportsbook Massachusetts here in the Bay State — were unaffected.
Keep an eye on cloud data breaches moving forward
Going forward, casinos — as well as any business, for that matter — should keep an eye on their data in the cloud.
“People think the cloud is going to save them,” Young said. “It’s not going to do that.”
According to IBM, 82% of breaches involved data stored in the cloud.
The issue with the cloud boils down to a third party. At the end of the day, it’s one company trusting another with its security, Young said. And making sure that same awareness is consistent in businesses and those providers is crucial.
“You’re depending on this cloud provider’s employees. Who knows how they’ve been trained? Are they getting qualified people? It’s a roll of a dice. When the company hires someone in their IT department, they vet them. They go through interview after interview. It’s not an easy situation. But they’re giving control to these cloud providers.”
An opportunity for casino operators to rethink their approach to cybersecurity
What happened to both operators is unfortunate, especially for individuals who had their data compromised. But MGM, Caesars and operators and businesses of all walks should use this as a learning tool.
“If I was a rival casino and I saw what happened with MGM, I would pull in all my IT folks and we’d go over everything – the architecture of the hardware, the software, with a fine-tooth comb,” Young said.