Skip to content

Search the site

The MGM hack: A $100m hit

"The Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruption..."

mgm hack $100 million

The MGM Resorts hack will cost the casino and hotel operator $100 million in lost earnings – with $10 million in post-incident response.

The $100 million should largely be covered by cyber insurance, MGM said in an SEC filing on October 5, in the wake of the September attack.

As the filing puts it: “ Company estimates a negative impact from the cyber security issue in September of approximately $100 million…

“The Company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors… the full scope of the costs and related impacts of this issue has not been determined” the filing adds.

The company is now also facing multiple class action lawsuits.

Data of "some customers" stolen

MGM Resorts CEO Bill Hornbuckle said that data had been stolen of “some customers who transacted with us prior to March 2019. This includes name, contact information, gender, date of birth, and driver’s license number. We also believe a more limited number of Social Security numbers and passport numbers were obtained,” he added.

As part of our remediation efforts, we have rebuilt, restored, and further strengthened portions of our IT environment,” Hornbuckle said.

See also: Rebuilding MGM's IT will be a $100/hour Red Hat sysadmin with strong arms, on long shifts.

The ALPHV ransomware group claimed the MGM attack.

ALPHV said its attack involved gaining admin credentials on its Okta SSO platform as well as its Azure cloud tenant after an initial vishing attack. After failing to persuade MGM to negotiate, it then hit ~100+ ESXi hypervisors with ransomware on September 11, the group has claimed.

Okta had warned in a late August blog that customers were reporting "a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all MFA factors enrolled by highly privileged users.

"The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization" it said, a fortnight before the $100 million MGM hack.

Precisely what this means was, at least to The Stack, somewhat unclear. Even Okta seems unsure as to the exact initial attack path. The attackers, in these incidents, Okta said in that security advisory, “appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org.”

Recovering from ransomware: Are your backups enough?

US authorities have warned in the wake of an investigation into how another crime group, Lapsus, breached MFA so effectively in social engineering campaigns that resulted in the breach of hundreds of organistions, that Identity and Access Management (IAM) weaknesses "are some of the most serious vulnerabilities in the digital ecosystem.

Dramatic improvements are necessary and will require a 'whole of industry' approach to innovate and implement meaningful solutions...Web and mobile application developers should leverage Fast IDentity Online (FIDO)2-compliant, hardware-backed solutions built into consumer devices by default," the July 24 report emphasised, adding that "operating system developers, web browser designers, and hardware manufacturers should address the widespread theft and monetization of authentication cookies, such as via infostealer malware, by implementing secure-by-default safety mechanisms that protect these credentials. For example, online service providers could automatically and silently reissue cookies, possibly every hour, to reduce the window of opportunity for attackers..."

See also: Supplier hack had “scope to impact entire telco industry”: Vodafone