MGM Had ‘F’ Grade for Cyber Vulnerability Prior to Hack

Prior to the recent ransomware attack that continues disrupting MGM Resorts International’s domestic gaming operations, the casino giant received an “F” grade from a cybersecurity analytics company regarding its speed in addressing cyber vulnerabilities.

MGM hack
MGM’s Aria on the Las Vegas Strip. The operator had an “F” grade for cybersecurity patching cadence before a recent ransomware attack. (Image: YouTube)

In its most recent batch of cybersecurity ratings, Boston-based BitSight, a cybersecurity ratings and analytics company, graded MGM’s patching cadence with an “F.” Patching cadence is the speed at which an organization addresses known cyber issues and vulnerabilities.

While it’s not clear whether or not the hackers who hit MGM on September 10 are avid followers of BitSight ratings, it is clear that corporations that receive an “F” patching cadence grade from the research firm are 3.2x more likely to be victimized by an adverse cyber event than those with an “A” grade, and 50% more likely to endure such a scenario than those scoring a “B.”

Cyber incidents are defined as ransomware attacks, data breaches, and business interruptions that compel the affected party to make cyber insurance claims or notifications.

Maybe Something to MGM “F” Grade

To be clear, BitSight didn’t single out MGM — other companies can and do receive the dubious “F” grade for patching cadence. However, the operator has an inauspicious cybersecurity history.

In February 2020, it was revealed that in 2019, hackers stole sensitive data of 10.6 million MGM customers, including some celebrities, from the company’s database and later marketed that data for profit on the dark web.

Last December, BetMGM, which is 50% controlled by MGM, confirmed a data breach that was believed to have occurred in May 2022. The Bellagio operator isn’t alone. Rival Caesars Entertainment was also recently the victim of a ransomware attack, and the travel and leisure industry, including casino operators, has a history of being a favored target of cyber criminals.

“In terms of improving security, casinos, like many other industries, need to increase awareness of their vulnerabilities, strengthen network segmentation, limit access control, and strengthen practices around patching and updates, and especially remote access,” said Waterfall Security Solutions CEO Lior Frenkel in comments made to Casino.org.

MGM Paying Price … Literally

While rival Caesars revealed in a recent regulatory document that one of its insurance carriers picked up the tab for an unspecified payment to hackers to end a ransomware attack, MGM has yet to follow suit. The cyber attack on MGM is on its 10th day and is costing the operator as much as $8.4 million per day in lost revenue.

That works out to $84 million — a fraction of the $14.8 billion in consolidated revenue the Cosmopolitan operator generated for the 12 months ending June 30.

While $84 million isn’t a massive number in corporate terms, it’s likely more than what the hackers are demanding and potentially more than MGM needed to allocate to address its cybersecurity needs.

Todd Shriber
Todd Shriber Financial Reporter

Todd Shriber is a senior news reporter covering gaming financials, casino business, stocks, and mergers and acquisitions for Casino.org.

Todd got his start in financial markets as a reporter with Bloomberg News. Later, he became a trader at a Southern California-based long/short hedge fund, where he specialized in the trading sector and international ETFs leading up to and during the financial crisis. He joined Casino.org in 2019.

Currently, Todd analyzes, researches, and writes on ETFs for various web-based publications and financial services firms. Shriber has been featured and quoted in Barron's, CNBC.com, and The Wall Street Journal. His work can also be found on Benzinga, ETF Daily News, ETF Trends, MarketWatch, Fox Business, and Nasdaq.com.

He currently resides in Las Vegas, where he enjoys golf and taking his black lab to the dog park. He's also an avid sports fan and likes to wager on college football and the NBA. You can also find him at the three-card poker and roulette table, even though he knows better.

Contact Todd at todd.shriber@casino.org.

Comments icon

Conversation (1 comment)

+ Add a comment
  • M
    Mau September 20, 2023
    A cyber research companies do a pretty good job in assessing such things. The fact that MGM received such an awful grade should give any… A cyber research companies do a pretty good job in assessing such things. The fact that MGM received such an awful grade should give any other organization that is not investing in such technology serious reconsideration of their investment and commitment to ramping up their security. MGM probably spends hundreds of millions of dollars a year if not more on such technology.
    Reply

Write a comment

Your email address will not be published.