Computer-connected operations at MGM Resorts properties continue to be impacted by a cyberattack that has now extended into a fifth day, and Caesars Entertainment has confirmed via a filing with the Securities and Exchange Commission (SEC) that it was also recenty the victim of such an attack.
MGM Resorts properties are grappling with the situation as multiple law-enforcement agencies continue investigating the ransomware attack, which included the theft of stored data in addition to the access of sensitive systems. The computerized systems that were affected figure into virtually every aspect of MGM Resorts properties' daily operations, including hotel reservations and room keys, loyalty-program-linked slots and other forms of gaming, ATMs, parking-ramp access, and many, many other electronically-linked systems.
Scattered Spider group behind attack
Several prominent news outlets reported that a hacking group known as Scattered Spider claimed credit for the MGM attack. Scattered Spider and a related hacking group, UNC 3944, are also affiliated with other prominent global hacking groups. According to a Yahoo News update, the Scattered Spider group is believed to be comprised of hackers mostly of college age, 19 to 22, and the group's members are based mostly in the US and UK.
In online posts, the group claimed to have hacked into MGM via "social engineering," meaning to trick a systems-information worker at MGM or a third-party firm into resetting or otherwise revealing a password for a system-linked account that had been identified. One plausible example is for the hacking group to identify a worker at a related firm, gather as much personal and company information about that worker, and then pose as that worker in a call to the company's system-administration department, claiming a lost password and needing a reset.
Such social-engineering attacks are a claimed specialty of the Scattered Spider group, and they are likely to become more common given the relative success of attacks against giant corporations to date. Such corporations, in response, are likely to overhaul and strengthen certain security measures.
Caesars confirms similar attack and related 'expenses'
Several mainstream outlets, including FoxNews and Reuters, also reported that Caesars Entertainment suffered a similar social-engineering attack, again orchestrated by Scattered Spider. Caesars allegedly paid the hacking group tens of millions of dollars to not release a large trove of customers' personal information that had been stolen in the attack, which began in late August.
Earlier today, Caesars filed a notice of "unscheduled material events" with the SEC, confirming some details of the attack, though not any specified dollar amount the company would have paid to the hackers. The filing states that as of September 7, 2023, Caesars confirmed that an "unauthorized actor" had accessed Caesars' systems via a third-party vendor, and had "acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database."
However, Caesars also declared, "We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor." Large numbers of WSOP participants may well be among those impacted by the data theft, as registration into the company's Caesars Rewards program is mandatory to play in any live WSOP event.
Caesars is already establishing protocols to contact all possibly impacted customers in the coming weeks and will provide credit-monitoring services. "We are offering credit monitoring and identity theft protection services to all members of our loyalty program. To sign up for these services, members may call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays."
As for any ransomware payments, Caesars referred to the matter only in general terms. "We have incurred, and may continue to incur, certain expenses related to this attack," the company declared, "including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.
Both MGM Resorts and Caesars Entertainment stock prices have dipped a couple of percent in recent days as news of the attacks became public.