The cybersecurity incident that saw MGM Resorts lose multiple functions across its US casino and integrated resort network is “credit negative” for the company and highlights key risks to the business’s operations, said Moody’s Investors Service.
As reported by IAG, the incident on Monday saw MGM forced to shut down its website and reservation systems, while banks of slot machines were reported to be offline for a period of time. ATMs and credit card systems were also down with all transactions by cash only, while some guests were locked out of their hotel rooms because their digital keys were not working. IAG understands that although some casino operations remained online, guests were in some instances made to wait hours for payouts.
According to Moody’s, key risks have been identified around MGM’s “heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable.”
Additional risks include potential revenue losses while systems were down, reputational risk and any direct costs related to investigation and remediation. Litigation expense or liability that the company may have because of compromised data. Despite most operations having been restored, MGM’s website remains down almost three days since the incident first occurred.
Citing a cyber risk heat map it published last September, Moody’s noted that it identified the gaming and gambling industry as carrying “moderate cybersecurity risk, mainly because of their highly digitized nature and the large amount of valuable personal data the companies maintain.
“Data on guests in some cases may include personal information about US executives and government officials with security clearances, which is particularly prized by nation-state hacker communities,” it said.
Moody’s also referenced a recent report by cybersecurity ratings and analytics company Bitsight which had scored MGM an “F” for patching cadence – the speed at which an organization remediates its exposure to known vulnerabilities. In previous studies, Bitsight has shown that an organization scoring an “F” grade in patching cadence is 3.2x more likely to fall victim to a cyber incident than a higher rated organization, it added.
Malware research group VX-Underground said Wednesday that MGM had been the victim of a cyber attack by ransomware group ALPHV, which it explained “has established a reputation of being remarkably gifted at social engineering for initial access. It isn’t really a surprise ALPHV (or the subgroup) is behind this attack.”
It added that all ALPHV did to compromise MGM was “hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
However, in the opinion of VX-Underground, MGM will not pay any ransom.