Updated September 17, 2023 - 3:32 pm
Sometimes the house loses.
The apparent cyberattack that hobbled MGM Resorts International this past week is the latest in a string of high-profile security breaches to befall Las Vegas casinos in recent months.
As MGM deals with what it has called a “cyber issue,” the gaming and hospitality giant apparently hasn’t been the only one to be targeted by potentially devastating cyber criminals lately. Caesars Entertainment also paid tens of millions to hackers to prevent them from releasing stolen data, Bloomberg reported Wednesday.
But the casinos have always been targets for robbers, fraudsters, hackers and, of course, cheaters. It’s just the way they’re being targeted that continues to evolve, experts say. Which means the gaming industry as a whole will have to keep evolving to avoid being further victimized by such high-stakes shakedowns.
Hackers claiming responsibilty for the MGM outage claimed they compromised the company’s infrastructure through simple social engineering, rather than unleashing ransomware.
The hacker gang ALPHV, also known as BlackCat, said that it had breached the gaming giant with a simple phone call, according to a post on X from malware repository vx-underground.
Then on Thursday, the group said it would unleash ransomware on the company’s computer systems “if a deal is not reached.”
While MGM has avoided the term cyberattack, the company has not commented on the cause of its computer failures, although the FBI confirmed earlier in the week that it was investigating the matter.
“I think this is kind of a bit of a never-ending story, as criminals find new ways to enact their crimes,” said Alan Feldman, who is the Distinguished Fellow in Responsible Gaming for UNLV’s International Gaming Institute. “So it’s a constant evolution of security systems, protocols and technologies.”
Although July was a month of record revenues for Nevada casinos, September has obviously been a month of headaches for MGM Resorts International. On Sept. 1, a hotel operations manager at MGM’s Aria turned himself in to the Metropolitan Police Department amid allegations he stole over $773,000 between July 2022 and July 2023 by issuing more than 200 false refunds to his debit card.
In June, Circa became victim to a so-called impostor scam. Downtown Las Vegas’ biggest hotel was swindled out of $1.17 million after an employee was duped into believing she was delivering bags of cash to two men at four different locations on behalf of one of the hotel’s owners.
Erik Gutierrez Martinez, a 23-year-old man who was living in an east Las Vegas trailer park with his aunt, was also accused of involvement in similar casino-targeting con jobs.
If MGM is indeed facing a cyberattack, as appears to be the likely scenario, and the reports about Caesars are true, the common thread, along with the Circa heist, would be social engineering, which basically refers to the component of hacking that involves human interaction.
‘Where am I vulnerable?’
To combat hacking, experts say, companies and government agencies need to be aware of and vigilant against this human element.
“The mindset always has to be: Where am I vulnerable?” said Charlie Lombardo, a gaming consultant and former gaming executive.
Social engineering happens when hackers are able to exploit vulnerabilities in a targeted company’s or government institution’s systems by deceiving an employee or employees into divulging information or allowing access, whether it be by phone, email or some other means.
“From what I’ve seen with these threat actors, that’s their main MO. That’s what they do,” said Alex Waintraub, a cybersecurity expert at CYGNVS Inc., whose mission is to help other companies navigate cyber crises. “They use the least sophisticated tactic there is, the human, to actually get into environments and and cause cyber havoc.”
Mehmet Erdem, professor of hotel operations and technology at UNLV, said that by and large Las Vegas casinos are generally good about security, and are forever playing catch-up in their efforts to beat the hackers whose techniques are constantly evolving.
Social engineering threat
Part of that effort to thwart the criminals requires a focus on both a companywide and individual basis to be aware of the threat of social engineering.
“We have to be more vigilant and proactive,” Erdem said.
Unfortunately, successful social engineering doesn’t even require complicated code building or computer wizardry, Waintraub pointed out.
“All they need to do is manipulate the human,” Waintraub said.
Amid all of these financial crimes, Southern Nevada casinos have also endured violence over the past year as well as a high-profile serial robbery spree.
In February, a 30-year-old man shot himself in the left thigh, apparently unintentionally, on the gaming floor of The Cosmopolitan of Las Vegas, according to an arrest report. And in January, a 40-year-old man died by suicide after shooting himself with an AR-15 in a public restroom on the casino floor of the Rio.
In July, an allegedly drug-crazed 35-year-old man held a woman hostage for hours in a room at Caesars Palace. After smashing the room’s windows, he tossed furniture to the ground 21 floors below, according to records. In May, two women were arrested after a man was fatally shot in a Caesars Palace hotel room.
In April, a 33-year-old Las Vegas man was arrested in connection with the robberies of six off-Strip casinos between November 2022 and April 2023. D’Shante Styles was accused of robbing the casino cages — with either a note or a verbal command — of the Gold Coast, Green Valley Ranch, Silverton, Rampart, Palace Station and M Resort.
Challenges come with territory
“Anywhere there’s money — and we see this over and over and over again — there are opportunities, and people are going to take a crack,” Lombardo said.
All of this hurts the overall mission of the hospitality industry, which at a very basic level is to provide a good time in a safe environment.
“It’s hard to be successful in hospitality if you’ve got security issues of any kind,” Feldman said.
Contact Brett Clarkson at email@example.com.
Correction: A Sunday story misstated a comment from UNLV Professor Mehmet Erdem. He said hotels are playing catch-up with cyber hackers.