A recent cyberattack targeting MGM Resorts has left guests with a losing hand.
In addition to a potential breach of personal data, hotel and casino visitors had to contend with widespread interruptions since last week, ranging from inoperable digital keys to blank slot machines.
Days after MGM first reported a “cybersecurity issue” on Sept. 11, Caesars Entertainment acknowledged it had suffered an infiltration on Sept. 7 in a report to the Securities and Exchange Commission. According to reports by the Wall Street Journal and CNBC, Caesars paid roughly $15 million to hackers who had stolen data from the company’s loyalty program.
MGM, which has properties around the world, including more than a dozen on the Las Vegas Strip, told the Associated Press it suspended online operations to protect its proprietary information. MGM did not respond to requests for comment from The Washington Post. The FBI confirmed to The Post it is investigating the incident. The Nevada Gaming Control Board said it is “monitoring” the incident and is in contact with MGM executives and law enforcement agencies.
“MGM shut everything down in order to stop whatever it was from continuing to wend its way through the system,” said Adam Levin, co-host of the podcast “What the Hack?” and founder of CyberScout, a company that helps businesses with online security issues. “ATM machines were impacted. Slot machines, digital room keys, electronic payment systems. The casino at one point was reduced to pen and paper.”
The mega casino and hotel operator has been slowly restoring services, but some still lag behind. In addition, the fallout from the cyberattack is still unfolding.
Here is what you need to know if you have been — or plan to be — a guest at a casino susceptible to a cyberattack.
Who is responsible for the MGM hacks?
The attack on MGM was claimed by an English-speaking group of young adults known to security companies by various names, including Scattered Spider.
They were originally prolific in the financially rewarding category of phone-based scams called SIM-swapping, which uses the trickery known as social engineering to convince phone company employees to hand over control of the number belonging to a target. That has allowed such young criminals to intercept two-factor authentication codes and drain millions from cryptocurrency wallets, among other places.
This year, Scattered Spider signed up as an affiliate of a major ransomware group, BlackCat. That means that when the group breaks into a company, it installs the encrypting program that belongs to BlackCat. BlackCat then handles the ransom negotiations and the two groups split the proceeds.
In this case, BlackCat posted a public message saying its affiliate had gained entry as early as Friday, Sept. 8, and won control of Okta authentication servers, giving it broad authority within the casino’s networks.
How have computer outages affected MGM casinos?
When Rachael Hooks rolled into Vegas for her wedding last week, she discovered MGM had taken multiple systems offline.
Hooks and her fiancé arrived on Sept. 12, the day after MGM acknowledged the cybersecurity incident. The couple had flown in from the United Kingdom and had included a Vegas stop on their western road trip.
Hooks, a first-time visitor to the city, and her partner were greeted with massive lines and inactive slot machines. Hooks said the problems at MGM hotels and casinos seemed to worsen over the week. Casinos were cashing out slot machine winnings manually, the Bellagio was forced to stop all room charges and Aria employees were handing out drinks to “keep people happy,” she said.
At their hotel, the Cosmopolitan of Las Vegas, the staff did not make any announcements about the cyberattack, nor did they inform guests about whether their personal information had been compromised.
“I’ve never seen anything like it,” said Hooks, who departed on Sept. 15 as a newlywed.
MGM’s website said “the vast majority of our property offerings currently remain operational, and we continue to welcome tens of thousands of guests each day.” However, based on its online FAQ section, guests can still expect some hiccups.
Because of issues with mobile check-in and digital keys, the company recommends guests check in at the front desk, where they will receive a physical key card. When it’s time to depart, guests can deposit their key card in the express checkout box. The hotel will email an invoice once its systems are back up.
The company said its properties can process credit card transactions, but cash payments may be quicker in some instances. ATMs are working.
For restaurant reservations, show tickets or spa services, MGM recommends guests book online or on its app. A practice run was successful: A guest could easily book an online dinner reservation for two at Le Cirque in Bellagio, tickets to see Cirque du Soleil’s “O” and schedule a detox wrap at the spa.
On the casino floor, slot machine winners may have to redeem their tickets with the cashier if the payout system is not working. The company warns that visitors using Slot Dollars and Freeplay may experience disruptions. In addition, Las Vegas and regional properties are not accepting rewards points.
If this sounds like a giant headache, MGM said guests with reservations through Sept. 24 can cancel without incurring a penalty.
How long are problems expected to continue?
Aaron Brantly, associate professor of political science and director of the Tech4Humanity lab at Virginia Tech, said the attack could last until the company pays the ransom and the hackers provide a digital key to unlock data, or until MGM can return its system from secure backups.
“If the ransom is paid, the networks could be back up quickly,” he said. “If it is not, the reconstitution of the network could takes days or weeks.”
Do casinos keep my personal information?
Have you ever received an email from a hotel-casino reminding you of a past stay and tempting you to come back to create some new memories? Travel companies can send you customized messages because they retain personal information that you provided as a guest or a loyalty rewards member.
To book a room or sign up for a loyalty program, you have to provide basic data, such as your name, email address, phone number and credit card information. Gamblers who win big may have to provide their social security number, for tax purposes. In the SEC filing from Caesars, it said its data breach could have included loyalty members’ driver’s license numbers, too.
“If you’re a hospitality organization and in particular a casino, you have an insane amount of personal data,” Levin said.
Brantly said casino-hotels use this information to “enhance a customer’s experience,” but unfortunately hackers can use this sensitive data for more nefarious pursuits.
Megan Stifel, chief strategy officer at the Institute for Security and Technology, said guests can ask the hotel to delete their personal information. To know your rights, she said to research the general data protection regulations in your destination.
Is my credit card information vulnerable in a casino hack?
Brantly said hotels and casinos frequently store credit card information to cover guest expenses. He said the hacker could access this data, but for the MGM incident, he is not aware of which files were compromised.
However, based on similar incidents, he said, “these types of attacks are quite comprehensive. Hackers can access all of this data.”
How can I protect myself from a cyberattack?
Brantly recommends past and present MGM guests check their credit card statements for several months, keeping an eye out for any suspicious purchases. The Fair Credit Billing Act protects consumers for fraudulent charges. He added that consumers should keep their credit file locked except under specific circumstances, such as taking out a loan or applying for a job.
“Keeping a credit file locked makes it much more difficult for people for malicious actors to open lines of credit using a person’s identity,” he said.
Also, sign up for transaction alerts, so you can track purchases on your cards. Levin said if MGM offers assistance, such as a subscription to a program that monitors your ID or resolution services for victims of identity theft, take advantage of it.
To protect yourself from future cyberattacks, he said to use “long and strong” passwords on your accounts and apps, and set up two-factor authentication. For security questions, he recommends using fake facts, since it’s not that hard to dig up, say, the name of your first pet or your high school’s mascot. When downloading an app for a hotel or casino, make sure you are using the official app and not a counterfeit version.
“Don’t go home and burn off your fingerprints and rip out all of the cords, turn off the lights and hide under a mattress,” Levin said. “But understand that we are vulnerable and have to act accordingly.”
Could another casino get hacked?
Every industry is susceptible to a cyberattack, including ones recently hit by hackers.
Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, said we might see a lull in hacking activity because other casinos have probably doubled down on their safety defenses.
However, the threat is always looming. Alex Hamerstone, an advisory solutions director with TrustedSec, an information security consulting firm, said the high volume of personal data being traded among a multitude of businesses and organizations makes it difficult to plug all the holes.
“Companies used to try to build walls around their data, but now there’s so much sharing between companies and systems, they have become very porous,” he said. “With complexity comes additional vulnerability.”