Cybersecurity in the Hospitality Industry: Lessons from MGM Resorts' $100m Data Breach Fiasco

The recent data breach at MGM Resorts International reportedly cost MGM $100 million, and serves as a stark reminder of rampant vulnerabilities in the hospitality industry. This cyberattack, initiated through a social engineering breach (aka “vishing”) highlights the sophisticated nature of cyber threats. So, how can the hospitality industry (and all industries) bolster cybersecurity?

In this breakdown of vishing cybersecurity, we’ll look at:

• Vishing Techniques in the MGM Resorts Cyberattack: A New Era of Digital Threats
• The Costly Impact of Vishing and Cyber Threats on Hospitality Companies
• Enhancing Cybersecurity in the Hospitality Industry: A Comprehensive Approach

Vishing Techniques In The MGM Resorts Cyberattack: A New Era Of Digital Threats   

The MGM Resorts International cyberattack is a glaring example of the ever-growing threat of vishing (voice phishing). Vishing is a method where attackers use phone calls to trick individuals into revealing sensitive information.

In the case of MGM, this attack began with a social engineering tactic, targeting MGM's IT help desk, where attackers posed as legitimate users and requested password resets. It ultimately cost MGM an estimated $100 million in damages.

The Scattered Spider group, believed to be behind this attack, demonstrated a high level of proficiency in vishing / social engineering. They successfully duped IT staff into resetting multifactor authentication settings for privileged users, as detailed in Okta's threat advisory. This initial breach allowed further network penetration and extensive disruptions across MGM's operations. According to a Vox report, the simplicity yet effectiveness of the vishing approach highlights threats not just to the hospitality industry, but to nearly every enterprise today.

Further complicating the situation, the attack's sophistication did not stop at the initial vishing attempt. Once the hackers gained entry, they employed advanced tactics, making it clear that companies need to be prepared for hybrid attack strategies. MGM ended up shutting down their systems to contain the attacks, resulting in slot machines displaying error messages and long lines as customers couldn’t check in nor out of the hotel.

The Costly Impact Of Vishing And Cyber Threats On Hospitality Companies

The hospitality industry is a prime target for cybercriminals due to its vast repositories of customer data. So, they face multifaceted financial repercussions from vishing and other cyber threats. The MGM incident exemplifies how vishing attacks can lead to substantial losses and a cascade of negative consequences for any hospitality company, both tangible and intangible, such as:

1. Stock Price Impact: Cyberattacks often lead to immediate stock price drops as investor confidence wanes as a direct response to perceived risks and the potential for future losses. The uncertainty surrounding a company's ability to secure data can significantly affect its market valuation as well. Consider that MGM stock was at $43.74/share the day before the incident. On October 5th, it was $34.79/share.
2. Credit Rating Downgrade: Post-attack, hospitality companies may face credit rating downgrades. Credit agencies often view cyber incidents as indicators of operational weaknesses, potentially increasing borrowing costs and impacting future financial planning. Moody’s, in fact, warned that it may impact MGM’s credit rating, noting the attack “highlights key risks” to its operations.
3. Eroding Customer Trust: Trust is a cornerstone of the hospitality industry. Cyberattacks, particularly those involving customer data breaches, can severely undermine customer confidence.
4. Direct Cost of Lost Business: In the immediate aftermath of an attack, businesses often experience a drop in bookings and cancellations, leading to direct revenue losses. In MGM’s case, they lost several days worth of revenue of booking, dining, entertainment, and gaming, as well as hotel cancellations.
5. IT Consulting and System Repair Costs: Addressing a cyber breach requires considerable IT resources. Expenses include hiring external cybersecurity experts, purchasing new software, and overhauling existing systems to prevent future attacks. MGM reported spending under $10 million technology consulting services, legal fees and expenses of other third party advisors in the immediate aftermath of the attack.
6. Data Repair Costs to Affected Consumers: Companies may need to compensate affected customers, often through free credit monitoring services or direct financial reparations. This not only adds to the financial burden but also serves as a reminder of the breach to customers.
7. Legal Ramifications: Victims of data breaches often resort to legal action, leading to costly lawsuits.
8. Governmental Action and Fines: Regulatory bodies may impose fines and sanctions on companies that fail to protect customer data adequately. The hospitality industry is particularly susceptible to such actions.

In the case of MGM Resorts, the attack's aftermath involved working with the FBI and the US Cybersecurity and Infrastructure Security Agency, incurring additional costs in terms of compliance and cooperation. The incident serves as a stark reminder of the extensive and varied costs associated with vishing and other cyber threats in the hospitality sector.

Enhancing Cybersecurity In The Hospitality Industry: A Comprehensive Approach

In light of the increasing threats of vishing and other cybercrimes in the hospitality industry, companies must adopt a multifaceted approach to bolster their cybersecurity posture. Here are key strategies:

1. Train Your Staff: From IT to customer service to outsourced contractors, comprehensive cybersecurity training is crucial. Employees should be educated about the latest cyber threats, particularly social engineering tactics, and be equipped with the knowledge to recognize and report suspicious activities.
2. Implement Zero Trust and Robust Authentication: Adopt a zero-trust framework where no user or device is trusted by default, even if they are within the network. This approach, combined with robust multifactor authentication, limits the spread of compromised devices.
3. Schedule Regular Security Audits: Regularly audit your cybersecurity defenses to identify vulnerabilities. Test various aspects of your security, such as the security of your employee directory, the effectiveness of your written protocols, and the ease of reporting mechanisms.
4. Upgrade Identity and Access Management: Implement advanced identity and access management solutions to control user access more effectively.
5. Prioritize Incident Response Planning: Develop a comprehensive incident response plan that covers immediate response, public relations strategies, and recovery procedures from locked systems. This plan should be regularly reviewed and updated to adapt to evolving threats.
6. Collaborate with Cybersecurity Experts: Partner with cybersecurity experts such as YouMailPS.com to gain access to expert knowledge, advanced tools, and ongoing, timely support. This expertise in sophisticated threats provides a critical layer of security at a relatively low cost.
7. Continuous Improvement: AI is leading to continuous improvement in cybersecurity, but it also has a dark side of AI, such as AI-powered voice cloning and automation. Invest in continuous improvements to stay ahead of evolving threats.
8. Create a Culture of Cybersecurity: Foster a workplace environment where cybersecurity is a shared responsibility. Encourage open communication about potential threats and ensure that all staff members are vigilant in maintaining cybersecurity.

Hospitality companies can significantly enhance their defense against vishing and other cyber threats by adopting key strategies. A comprehensive approach not only protects sensitive data and systems, but includes developing a cybersecurity culture, training, partnerships, and response planning.

The MGM Resorts cyberattack is a cautionary tale for the hospitality industry — and any modern customer-facing industry, in fact. It's a reminder of the critical need for robust cybersecurity measures to safeguard against increasingly sophisticated threats. Consider advanced solutions with AI and decades of experiencing a critical element in your toolkit. To see how, book a free demo at YouMailPS.com >