Posted: September 19, 2023, 11:32h.
Last updated: September 19, 2023, 11:32h.
Prior to the recent ransomware attack that continues to disrupt MGM Resorts International’s domestic gaming operations, the casino giant received a dismal grade of “F” in addressing cyber vulnerabilities from cybersecurity analytics company, Bitsight.
In the latest round of cybersecurity ratings, cybersecurity ratings and analytics company, Bitsight, gave MGM’s patching cadence an “F” grade. Patching cadence refers to the speed at which an organization addresses known cyber issues and vulnerabilities.
While it remains uncertain if the hackers who targeted MGM on September 10 were influenced by Bitsight ratings, it is clear that companies receiving an “F” patching cadence grade from the research firm are 3.2x more likely to fall victim to adverse cyber events than those with an “A” grade, and 50% more likely than those with a “B” grade.
Cyber incidents include ransomware attacks, data breaches, and business interruptions that lead to cyber insurance claims or notifications by affected parties.
Implications of MGM’s “F” Grade
To be clear, MGM was not specifically singled out by Bitsight, as other companies also receive the unfavorable “F” grade for patching cadence. However, the operator’s history of cybersecurity shortcomings is well-documented.
In February 2020, it was revealed that hackers had stolen sensitive data from 10.6 million MGM customers, including some celebrities, from the company’s database and subsequently sold that data for profit on the dark web.
Last December, BetMGM, which is 50% controlled by MGM, disclosed a data breach that was believed to have occurred in May 2022. MGM is not alone in facing such incidents, as rival Caesars Entertainment recently fell victim to a ransomware attack. The travel and leisure industry, including casino operators, has a history of being a favored target of cyber criminals.
“Casinos, like many other industries, need to increase awareness of their vulnerabilities, strengthen network segmentation, limit access control, and improve practices regarding patching, updates, and remote access,” said Waterfall Security Solutions CEO Lior Frenkel in comments made to Casino.org.
MGM’s Costly Consequences
While rival Caesars revealed in a recent regulatory filing that one of its insurance carriers covered the cost of an unspecified payment to hackers to end a ransomware attack, MGM has not followed suit. As a result, the cyber attack on MGM has now extended into its tenth day and is costing the operator as much as $8.4 million per day in lost revenue.
This amounts to $84 million in total – a fraction of the $14.8 billion in consolidated revenue generated by the operator of The Cosmopolitan for the 12-month period ending June 30.
Although $84 million may not be a staggering figure in corporate terms, it is likely more than what the hackers demanded and potentially more than what MGM needed to allocate to strengthen its cybersecurity measures.