Shares of MGM Resorts (MGM) close slightly lower after a cyberattack shut down the Las Vegas operators’ systems. Last week, Caesars Entertainment’s (CZR) systems and user data were also reportedly attacked. Recorded Future Threat Intelligence Analyst Allan Liska breaks down the implications of these hacks and cybersecurity systems that can be set in place to avoid these types of attacks. Liska states these events could become “an investor confidence issue” and will lead these companies to beef up their cybersecurity, and most likely their physical on-site security as well. He cites the lack of proper social engineering training at most casinos, noting the attack did not appear to be complex and could make for very easy targets for hackers “with the right attitude.”
Video Transcript
BRAD SMITH: Shares of MGM Resorts closing lower today as the casino giant battles a widespread system outage, five days after a cyber attack forced it to shut down systems at properties across the US. Guests reporting ATMs, slot machines, and digital room key cards remained out of order. This as Caesars Entertainment reported it was hit by a cyber attack last week that saw the personal data of its reward members compromised.
The company acknowledged in an SEC filing that it couldn't guarantee the security of stolen information, putting millions at risk. With more on the potential fallout from these attacks, we've got Allan Liska, a threat security analyst at cybersecurity firm Recorded Future, here. Allan, the significance here of all three of these, or at least Caesars and MGM, being targeted in this fashion.
ALLAN LISKA: Yeah, it's fairly significant. Casinos have been hit a number of times this year. We've seen multiple attacks against them, but nothing this big. And so having these kind of huge casinos being impacted, and not just the casinos but, as you pointed out, all of their clients and customers being impacted is huge.
AKIKO FUJITA: I mean, six terabytes worth of data is what it's being reported out in terms of information that was stolen. What does this tell you about the security that's in place at these casinos, where, I mean, everything from your room key to your transaction, your winnings, all of that, is operated under this digital umbrella?
ALLAN LISKA: Right. So casinos have traditionally invested very heavily in physical security, right? They want to make sure that their slot machines are safe. They want to make sure that nobody is card counting, that nobody can break into the system.
They haven't invested as heavily in cybersecurity. But as we're finding out, so much of these casinos are network-based, right? As you say, the rooms the slot machines, all of your credit card information, all of your membership information is all stored digitally, and that's ripe for these kind of attacks and can be incredibly devastating to not only the patrons of the casino but to the casino themselves.
BRAD SMITH: So, what type of hit on customer confidence does this typically have, after a cybersecurity breach like this?
ALLAN LISKA: It depends. I mean, you saw the stock price for both casinos has been down this week. So there is an investor confidence issue. But then there's also a confidence issue in terms of the casino themselves. Is it safe to go back there?
Now, the good news is, when an attack like this happens, there's almost always a heavy investment in security. So undoubtedly, both Caesars and MGM will be much more secure going forward, but they may have lost confidence in their-- the confidence of their customers. And, honestly, it also probably means that the other casinos on the strip are now heavily investing in cyber security as well to make sure that they don't fall victim.
AKIKO FUJITA: Hey, Allan, I wonder what you make of the reports of how this, in fact, was carried out, that this was actually information that was obtained by a phone call, not necessarily, right-- I mean, hackers were able to use that information from the call to hack into the system. But it wasn't all just done on the internet. And I ask that because there's certainly a lot of education among companies across the country that have been put into letting employees know about what to look out for when there are criminals who are trying to hack into a system. I mean, this doesn't feel like it was that high tech.
ALLAN LISKA: Most attacks aren't. Whether you're talking about a phishing attack over email, most of them aren't that complex to get in. And even most exploitations aren't that complex. That's kind of one of the dirty secrets of security, is too many things are missed. In this case, social engineering, when done well, can be really hard to defend against.
Just a couple of weeks before these attacks at the DEF CON conference in Las Vegas, they had a whole social engineering village, where they were showing how easy it is to use social engineering to gain access. Because with the right script, the right voice, the right attitude, it is surprisingly easy to get help desk people to reset a password or to give you a multifactor authentication code. And that's where a lot of organizations don't extend the training to. They'll do phishing training, they'll do security awareness training, but they won't necessarily do social engineering training.
BRAD SMITH: Where are we hearing generative AI could be, perhaps one of the larger solutions for cybersecurity? I mean, obviously, it's coming up in the industry, but it's a matter of-- at what cost for corporations are they going to have to kind of just make sure that they put up the dollars in order to not just have an added layer of cybersecurity but they're also being proactive within that measure as well?
ALLAN LISKA: Right. Well, and that's the thing with generative AI that you need to think about, is it's not just a implement-it-and-forget-it kind of solution. There's a lot of care and feeding that goes into an AI-based solution to improve it and have it constantly be responsive to new threats and new kinds of attacks. And so just like with anything else in security, AI can be really helpful. But you have to have the staff, the resources, and the capabilities to manage it and maintain it, otherwise, it's just another tool sitting on your shelf, not being useful. But it can be very helpful in improving cybersecurity within an organization.
AKIKO FUJITA: And finally, Allan, what about those users who were in Vegas, who are worried maybe their data has been targeted, maybe their data has been compromised? What are the steps they should be taking right now?
ALLAN LISKA: You know, unfortunately, we have this conversation a lot, whether we're talking about schools that are hit with ransomware or hospitals that are hit with ransomware or now casinos that are hit with ransomware. It's the same conversation repeatedly that credit monitoring becomes really, really important here. Making sure that you are aware of any changes to your credit score, anybody trying to open new accounts, anybody trying to open new driver's licenses, et cetera. So having those credit monitoring services are really helpful. I wish I had a better answer than that, but that right now is the best solution that we have for these kind of attacks.
BRAD SMITH: One of the reasons that we also see the stock price move in reaction to something like that is not just the original exposure but also the action that customers might take on the other side. Are you expecting some type of massive settlements in order to assuage customers who are impacted by this as a result of, and perhaps and are brewing up a class action lawsuit?
ALLAN LISKA: Yeah. So any time we see a big ransomware attack like this, especially one that's in the news, you have at least two lawsuits that are filed. You'll have the shareholder class action lawsuit and you'll also have the impacted customers class action lawsuit. So, yeah, we expect to see both of those come forward in the next few weeks as things start to settle within MGM and within Caesars. But yeah, that's just par for the course at this point.
BRAD SMITH: All right. Allan, thank you so much for your time and your insights on this matter. Of course, the story that we're going to be continuing to track in the falling action of it as well here. Allan Liska, appreciate the time.