Security Layers and the MGM IT Systems Breach

MGM Security Breach

This blog provides an in-depth analysis of the MGM Security Breach, synthesizing the event and its outcomes from several articles, exploring its causes, consequences, and the critical role of effective password management in preventing such cyber incidents.

Understanding the MGM Security Breach and Its Impact: What happened?

On September 10, 2023, two cybercriminal organizations working in tandem — Scattered Spider and ALPHVA – brought $14 billion gaming giant MGM Resorts International operations to a screeching halt at several of its most significant properties in Las Vegas.

Without warning, reservation systems crashed, websites went offline, and employees were locked out of corporate email accounts. Slot machines went dark, and gaming tables were roped off. There was no credit card processing, Wi-Fi, ATMs, or working point-of-sale systems. The MGM Rewards loyalty program could not award points or allow guests to redeem them. Digital room keys and elevators stopped working.

They were forced into manual mode. Upset guests stood in hours-long lines to check in or to get physical room keys reissued. Employees were frustrated by their inability to serve customers and were reduced to giving handwritten receipts for casino winnings. Credit card numbers were written on slips of paper for food and drink and merchandise purchases (a significant security risk in itself). The staff passed out $25 vouchers like candy to assuage irritated guests.

The breach cost millions in gambling revenue, with total losses estimated as high as $10 million per day over ten days until all systems were restored and operating normally on September 20.

MGM acknowledged that the hackers downloaded six terabytes of data, including the name, address, date of birth, contact information, and portfolio numbers for an unspecified number of guests. It claimed no credit card information was exposed, but that some guests’ driver’s licenses, passports, and Social Security numbers were also harvested.

The impact on MGM has yet to be fully measured. Although the company has cyber insurance and stands to recover much of its operating losses, they chose not to pay the ransom and shut down affected systems instead. That increased incident downtime and stretched recovery timeframes, further frustrating employees and guests.

They are subject to fines by Federal regulatory entities and will possibly lose a percentage of its stock value and customer base. They will be footing the bill for future credit monitoring services for affected guests.

MGM has also been named the defendant in a class action suit filed in the District of Nevada on behalf of all those whose personal information was stolen. And it all may have started with a phone call!

How did this happen?: The Role of Phishing in the MGM Security Breach

For the technical step-by-step details regarding how the attack was carried out, which services and resources were compromised, and the tools the hackers used to escalate their privileges and wreak havoc once inside the network, please see the list of sourced articles after this blog.

The bottom line is that the origins of the MGM hack can be traced back to a classic phishing attack. Cybercriminals began by mining employee information on LinkedIn to learn personal details, likely targeting someone in IT. Then, they posed as the employee in a phone call to the support desk.

They tried to dupe the administrator into issuing a one-time password (OTP) to bypass standing multi-factor authentication defenses.

It worked. The hackers essentially walked in through the front door. Within hours, they had control of multiple systems and servers, and once they had encrypted the data, they sprung their ransomware trap.

In this case, the cybercriminals were not rewarded because MGM did not pay the ransom, but the damage – upwards of $100 million – was done. Millions previously spent on building firewalls and malware detection to prevent an attack undone by a simple phone call. Millions more will be paid to replace and upgrade compromised systems.

It is reasonably safe to say that had the one-time password reset not happened; the attackers would have found accessing MGM systems much more challenging.

How the Passpack Password Management Solution Could Help mitigate Cyber Attacks

Passpack is an industry leader in identity and access management. The Passpack password management application establishes rules and policies for secure password creation, storage, and sharing across an entire organization.

Passpack employs a centralized, closed-loop model in which a dedicated administrator has 100% visibility and control over all user passwords and credentials.

The application offers a built-in password generator tool that allows administrators to set thresholds for character string length and strength, manage schedules for credential expiration or rotation periods, and prevent password recycling.

Passpack supports advanced features such as single sign-on (SSO), multi-factor authentication (MFA), Yubi keys, role-based access control (RBAC), and more. When user accounts and passwords need to be created, shared, or modified, the administrator is kept fully aware and updated. Information is shared using end-to-encryption so only the intended recipient receives the password information for extra security.

Most importantly, Passpack employs a zero-trust architecture and uses unique Packing Key technology – a user encrypting key separate from the master password known only to each account owner – to unlock information stored in a Passpack account.

Helpdesk personnel were trained not to grant password reset requests without using MFA, but were somehow fooled into doing so. With an effective password management solution in place along with related policies and procedures, the caller would be expected to log into their password manager account to request a password reset from the administrator.

With Passpack, the criminal would have needed the victim’s encryption Packing Key to access the account of the employee they were impersonating, which is known only by the true user, thereby providing a transparent security layer to mitigate the exposure.

Don’t gamble with security! Strengthening Cybersecurity Post-MGM Security Breach

We are not stating that implementing a password management solution like Passpack would prevent such a sophisticated attack. This cyberattack had many facets, and the hackers employed a lot of resources and determination to break into the MGM IT systems.

However, it does highlight the requirement for a strong password policy to protect an organization’s critical vital assets. There is no defense against giving out a reset password over the phone. But short of that, an adequately enforced password management policy would have made it more difficult for the hackers to carry out their plan.

Evidently, the MGM hack resulted from a breakdown in security policy and employee training more than anything else. The remedy starts with having a solid foundation of identity and access management tools, enforcing policies, and monitoring who has access to what information – layered security protocols where a password manager should be your first line of defense.

As long as businesses store valuable customer data, criminals will try to steal it – that is, forever. Please don’t make it easy for them. Passpack Password Manager stores unlimited passwords for unlimited users with versatile plans for businesses of every size. Visit us at www.passpack.com and try our service risk-free for 28 days and see how easy and affordable it is to keep all your passwords safe with Passpack.

Sources & Acknowledgements:
The MGM Resorts Attack: Initial Analysis, cyberark.com, By Andy Thompson, 9/22/23

MGM Hack Analysis: Security Still a Test of Your Weakest Link, thenewstack.io, By Dotan Agmon, 10/03/23

MGM Resorts breached by ‘Scattered Spider’ hackers: sources, reuters.com, By Zeba Siddiqui and Christopher Bing, 9/13/23

The chaotic and cinematic MGM casino hack, explained, vox.com, By Sara Morrison, 10/6/23

Share article

Get Started with Passpack Today