MGM Had ‘F’ Grade for Cyber Vulnerability Prior to Hack
Posted on: September 19, 2023, 11:32h.
Last updated on: September 19, 2023, 07:03h.
Prior to the recent ransomware attack that continues disrupting MGM Resorts International’s domestic gaming operations, the casino giant received an “F” grade from a cybersecurity analytics company regarding its speed in addressing cyber vulnerabilities.
In its most recent batch of cybersecurity ratings, Boston-based BitSight, a cybersecurity ratings and analytics company, graded MGM’s patching cadence with an “F.” Patching cadence is the speed at which an organization addresses known cyber issues and vulnerabilities.
While it’s not clear whether or not the hackers who hit MGM on September 10 are avid followers of BitSight ratings, it is clear that corporations that receive an “F” patching cadence grade from the research firm are 3.2x more likely to be victimized by an adverse cyber event than those with an “A” grade, and 50% more likely to endure such a scenario than those scoring a “B.”
Cyber incidents are defined as ransomware attacks, data breaches, and business interruptions that compel the affected party to make cyber insurance claims or notifications.
Maybe Something to MGM “F” Grade
To be clear, BitSight didn’t single out MGM — other companies can and do receive the dubious “F” grade for patching cadence. However, the operator has an inauspicious cybersecurity history.
In February 2020, it was revealed that in 2019, hackers stole sensitive data of 10.6 million MGM customers, including some celebrities, from the company’s database and later marketed that data for profit on the dark web.
Last December, BetMGM, which is 50% controlled by MGM, confirmed a data breach that was believed to have occurred in May 2022. The Bellagio operator isn’t alone. Rival Caesars Entertainment was also recently the victim of a ransomware attack, and the travel and leisure industry, including casino operators, has a history of being a favored target of cyber criminals.
“In terms of improving security, casinos, like many other industries, need to increase awareness of their vulnerabilities, strengthen network segmentation, limit access control, and strengthen practices around patching and updates, and especially remote access,” said Waterfall Security Solutions CEO Lior Frenkel in comments made to Casino.org.
MGM Paying Price … Literally
While rival Caesars revealed in a recent regulatory document that one of its insurance carriers picked up the tab for an unspecified payment to hackers to end a ransomware attack, MGM has yet to follow suit. The cyber attack on MGM is on its 10th day and is costing the operator as much as $8.4 million per day in lost revenue.
That works out to $84 million — a fraction of the $14.8 billion in consolidated revenue the Cosmopolitan operator generated for the 12 months ending June 30.
While $84 million isn’t a massive number in corporate terms, it’s likely more than what the hackers are demanding and potentially more than MGM needed to allocate to address its cybersecurity needs.
Last Comment ( 1 )
A cyber research companies do a pretty good job in assessing such things. The fact that MGM received such an awful grade should give any other organization that is not investing in such technology serious reconsideration of their investment and commitment to ramping up their security. MGM probably spends hundreds of millions of dollars a year if not more on such technology.