It’s been a few weeks since MGM Grand Detroit suffered the impact of a cyber attack through its parent company, MGM Resorts International.
The attack was one of a handful to occur at a casino over recent months, leaving the gaming operators and customers vulnerable.
PlayMichigan chatted with Lisa Plaggemier, the Executive Director at National Cybersecurity Alliance, about the attacks and what casinos and customers can better do to keep themselves protected.
What exactly occurs during a cyber attack?
Most people have experienced some form of an attempt at a cyber attack in their personal or work life, whether they know it or not.
According to the Cybersecurity & Infrastructure Security Agency, 47% of American adults have had personal data exposed by cyber criminals.
So, just how does it happen?
“Usually it starts with some form of social engineering, like somebody sends a phishing email to one of your employees. Somebody clicks on something that they shouldn’t, not that they’re willful about it,” Plaggemier said.
“That then starts a series of events that downloads malware in the form of ransomware, on to a computer, and then that ransomware goes about encrypting files and moves very quickly through your systems.”
In the case of MGM Resorts, two separate groups took credit for getting access to their data. One group was Scattered Spider, the other was ALPHV. They claimed to have accessed MGM’s servers at several casinos, including MGM Grand Detroit.
The hackers gained access to ATMs, point-of-sale systems, credit and debit card terminals, check cashing and reservation systems. It left casinos like MGM Grand Detroit in flux for over a week.
“The recent cyberattack on MGM Resorts International unveiled the significant deficiencies in the company’s cyber infrastructure and training, paralyzing key sectors of the business. While their rapid activation of an incident response team was a positive step, the critical weaknesses in their cybersecurity setup was still the biggest takeaway,” Plaggemier said.
“In the case of MGM, the criminal breaks into one store in the mall, and they’re able to get into every store in the mall.”
In terms of mobile apps, Caesars and MGM maintained their online betting operations weren’t affected, so users of Caesars Casino Michigan and BetMGM Casino Michigan never saw their gameplay impacted.
MGM Resorts didn’t pay ransom while Caesars did
Prior to the MGM Resorts attack, Caesars also experienced a cyber attack by Scattered Spider.
In both situations, the cyber attackers requested a ransom be paid in the return of the company’s information and system access.
“Now (cyber attackers) don’t just hold data for ransom, but they also want to be paid to not release the data onto the dark web,” Plaggemier said. “It used to be they just encrypted it and held it. Now they’ve decided they can make money both ways.”
In the case of MGM Resorts, it elected not to pay the ransom and dealt with the interruptions for many days. Caesars elected to pay a reported ransom of $15 million to the hackers to get their information back.
Neither situation is ideal, but Plaggemier believes paying the hackers sends a bad message that these attacks are working and will continue.
“We side with federal law enforcement. We believe that paying the criminals is not good practice. It perpetuates the problem as long as people keep paying, and they’ll keep doing it,” Plaggemier said. “You’re also trusting that you’re going to get the encryption keys back and they’re going to work. You’re putting a lot of trust (in the hackers). You’re doing business with criminals.”
Is the gambling industry a target of cyber attacks?
Along with the attacks on Caesars and MGM Resorts, Gateway Casinos suffered a ransomware attack this summer that shut down the company’s gambling facilities in Ontario for two weeks.
Despite the numerous cyber attacks on the gambling industry, Plaggemier doesn’t feel hackers are turning their focus to the industry in particular.
“I don’t think the gaming industry is being focused on necessarily any more than any retail consumer business,” Plaggemier said. “I think it’s more about legacy businesses. Businesses that have a deep, deep history that existed way before the information age. I think it has more to do with whether or not the businesses are successfully navigating over the past 10 or 20 years, a transformation to the digital age, from what was all analog.”
These attacks should be a wake-up call to the gambling industry to be assessing its ability to fight hackers. Keeping up to date with their defenses is critical.
“Companies have to treat security risk like any other risks to your business. There’s geopolitical risk, currency risk, competitive market force risks, competitive risk. Any other risks to your business that you would manage, you need to manage cyber risk just the same,” Plaggemier said.
Protecting yourself from cyber attacks
Since the MGM Resorts attack, we have seen class-action lawsuits filed against the company by its customers due for failing to protect customer data.
Aside from businesses being vulnerable to these attacks, consumers are also constantly under attack from cyber criminals.
Michigan online casinos limit how consumers can do transactions, but Plaggemier recommends using credit cards when available for better personal security.
“As long as you’re using a credit card, as opposed to a debit card, or even as opposed to the electronic payments like Venmo, you’re protected from situations like this. You’re not personally liable,” she said. “So, I’m a big proponent of using credit cards and paying off the whole bill every month. It’s just as easy to use as a debit card or anything else, but it comes with that added protection.”
If you are on your computer at home or at work and suspect you may have clicked on a ransomware attack, the best option is to sever the connection to your work network and internet.
“The best thing to do is to just disconnect from the network at that point. If you’re if you’ve intercepted (the attack) and you know what’s happening. The only way you can stop it from spreading is to shut everything down or disconnect from the internet,” Plaggemier said.
Cyber hackers will continue assault
If the past month has shown us anything, it is that hackers aren’t going to go away.
Their business is to be relentless, as they only need one slight mistake to be successful.
“The hard part is the bad guys only have to be right once, the defenders have to be right all the time. You can’t prevent them from attacking, you’re going to get attacked. Doesn’t matter who you are. Doesn’t matter how big or small your company is. It doesn’t matter if you’re a hospital, a utility company, a hotel or a casino. It doesn’t matter. You’re being attacked, whether you know it or not. Small business, large business, it doesn’t matter. It’s happening,” Plaggemier said.
The reason these will continue is that the attackers have the ability to stay ahead of cyber security in the United States.
“We have organizations that in the western world that move slowly. We have processes we follow, we have laws that we follow, we have compliance regulations in different industries that we follow. Bad guys don’t have compliance. So, they can move really quickly and learn from their mistakes, and just keep iterating until they’re successful,” Plaggemier said.
“Time is money for them, so they move really fast. (Attacks) are going to happen, but the damage can be mitigated if you’re prepared.”
Casinos need to prioritize security defenses
What the casino industry should learn from these recent attacks is to prioritize their security defenses and constantly be prepping for what can be around the corner.
“Security isn’t a one-and-done, it’s not an event. It’s a process that you have to manage just like any other process. It’s just lather, rinse and repeat,” Plaggemier said.
“The problem isn’t going to go away any time soon, the Internet was not built to be secure. It’s just the way it is.”
The public may not be aware if these casino businesses have been successful in their defenses. We only become aware when the defenses fall short.
Going forward, no news is good news.