Updated September 26, 2023 - 6:27 pm
It was almost as if Nevada regulators anticipated cyber trouble back in December when they approved revisions to Regulation 5 that call for plans to address cyberattacks on casino companies.
Nevada licensees have until Dec. 31 to deliver risk assessments of their business operations and develop cybersecurity best practices.
But in late August, hacker gangs identifying themselves as Scattered Spider and ALPHV broke into computer systems of Caesars Entertainment Inc. and on Sept. 10 into systems of MGM Resorts International.
While Caesars reportedly paid a multimillion-dollar ransomware demand and didn’t lose an operational beat, MGM didn’t, and the company endured nine days of operational chaos as multiple computer systems went down, costing the company millions.
The company’s website and hotel room booking engines were struck, the MGM app used by customers to enter their hotel rooms was offline. Restaurant and attraction reservation systems failed. The company, fearing worse damage to their systems, shut down networked slot machines and instead had to pay slot machine winners manually instead of through a machine’s ticket in-ticket out system that produces vouchers that could be redeemed for cash or inserted into other machines.
The 10 MGM resorts in Las Vegas and its other resorts across the United States were unable to process credit card transactions, in-casino ATMs were off line and their paid parking access was compromised. Company email also was offline.
Customers who have written emails and called the Review-Journal say they fear their personal data might have been exposed.
Consumers already have begun paying attention, filing class-action lawsuits — against MGM and Caesars — in U.S. District Court in Las Vegas.
Casino customers in Illinois, Colorado, Mississippi and Louisiana filed the lawsuits seeking unspecified damages. Neither company commented on the lawsuits.
In the days since the attack began, the company has reported a gradual return to normal business. On Monday, the company said websites can be accessed and company email was available.
At Thursday’s Nevada Gaming Commission meeting, Commissioner Brian Krolicki said he was hopeful that a public report could be made to explain the MGM and Caesars breaches. Since then, there have been no further regulatory reports, and commissioners have declined to comment. But Krolicki noted the deadline listed in Regulation 5.
“A covered entity that experiences a cyberattack to its information system resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence shall provide written notification of the cyberattack to the board as soon as practicable but no later than 72 hours after becoming aware of the cyberattack,” the regulation says.
“Upon request, the covered entity shall provide the Board with specific information regarding the cyberattack, perform, or have a third-party perform, an investigation into the cyberattack, prepare a report documenting the results of the investigation, notify the board of the completion of the report, and make the report available to the board for review upon request. The report must include, without limit, the root cause of the cyber attack, the extent of the cyberattack, and any actions taken or planned to be taken to prevent similar events that allowed the cyberattack to occur and notify the board when any investigation or similar action taken by an entity external to the covered entity is completed and make the results of such investigation or similar action available to the board upon request.”
A Control Board spokesman on Tuesday said a workshop meeting scheduled Wednesday afternoon on gaming technology modernization wouldn’t address the MGM or Caesars incidents.
But it could be the elephant in the room when participants discuss gaming devices, associated equipment, cashless wagering systems and processes that could result in more effective deployment of gaming technology projects and discussion regarding advanced technology.
It’s unclear just how long the attack on MGM would affect business, but a New York-based cybersecurity expert said he believes a lack of public confidence in MGM could discourage stays at MGM properties leading up to the Super Bowl at Allegiant Stadium in February.
“There’s the obvious practical near-term effects, which is people were unable to book accommodation for some period of time,” said Dan Draper, founder and CEO of CipherStash, a company designed to prevent data breaches from ever happening.
“Certainly, being offline for a period of time would have resulted in a number of lost bookings,” he said. “But I think the bigger issue here is the effect or the impact that the breach will have on consumer trust. And I think this just goes to amplify what I certainly see as an ongoing trend in consumer distrust of how their data is being managed.”
Impact of breaches
Because breaches affected the two largest resort companies in Las Vegas, Draper said it’s possible Las Vegas as a whole could feel the impact.
“It’s probably not going to get to the point where a significant number of people don’t come to Las Vegas at all, but I do think that it is going to have an effect on how much money they spend, on what kinds of accommodation they choose to stay in,” he said. “And once again, if they’re not providing their personal data or they’re a lot more cautious about providing personal data to various different suppliers, I would say that the share of wallet would be reduced.”
Draper’s comments mirror some of the remarks last week of Brendan Bussmann of Las Vegas-based B Global, who said MGM needs to be at the top of its game with multiple major events on the near horizon.
With November’s Formula One Las Vegas Grand Prix, December’s National Finals Rodeo, January’s CES convention and February’s Super Bowl LVIII on the horizon, Bussmann said it’s critical for MGM to rebound from the attack.
“You’ve got a busy schedule ahead over the next six months of MICE (meetings, incentives, conferences and exhibitions), sports and other key events on the docket so the runway is short to get back to everything running on all cylinders while continuing to evaluate how best to address what has occurred in the future,” he said. “While there still may be lingering effects behind the scenes, the show must go on and MGM Resorts will do what it takes to keep those things running.”