MGM Had ‘F’ Grade for Cyber Vulnerability Prior to Hack

Posted on: September 19, 2023, 11:32h. 

Last updated on: September 19, 2023, 07:03h.

Todd Shriber @etfgodfather Read More
Expertise: Financial, Gaming Business, Mergers and Acquisitions.

Prior to the recent ransomware attack that continues disrupting MGM Resorts International’s domestic gaming operations, the casino giant received an “F” grade from a cybersecurity analytics company regarding its speed in addressing cyber vulnerabilities.

MGM hack
MGM’s Aria on the Las Vegas Strip. The operator had an “F” grade for cybersecurity patching cadence before a recent ransomware attack. (Image: YouTube)

In its most recent batch of cybersecurity ratings, Boston-based BitSight, a cybersecurity ratings and analytics company, graded MGM’s patching cadence with an “F.” Patching cadence is the speed at which an organization addresses known cyber issues and vulnerabilities.

While it’s not clear whether or not the hackers who hit MGM on September 10 are avid followers of BitSight ratings, it is clear that corporations that receive an “F” patching cadence grade from the research firm are 3.2x more likely to be victimized by an adverse cyber event than those with an “A” grade, and 50% more likely to endure such a scenario than those scoring a “B.”

Cyber incidents are defined as ransomware attacks, data breaches, and business interruptions that compel the affected party to make cyber insurance claims or notifications.

Maybe Something to MGM “F” Grade

To be clear, BitSight didn’t single out MGM — other companies can and do receive the dubious “F” grade for patching cadence. However, the operator has an inauspicious cybersecurity history.

In February 2020, it was revealed that in 2019, hackers stole sensitive data of 10.6 million MGM customers, including some celebrities, from the company’s database and later marketed that data for profit on the dark web.

Last December, BetMGM, which is 50% controlled by MGM, confirmed a data breach that was believed to have occurred in May 2022. The Bellagio operator isn’t alone. Rival Caesars Entertainment was also recently the victim of a ransomware attack, and the travel and leisure industry, including casino operators, has a history of being a favored target of cyber criminals.

“In terms of improving security, casinos, like many other industries, need to increase awareness of their vulnerabilities, strengthen network segmentation, limit access control, and strengthen practices around patching and updates, and especially remote access,” said Waterfall Security Solutions CEO Lior Frenkel in comments made to Casino.org.

MGM Paying Price … Literally

While rival Caesars revealed in a recent regulatory document that one of its insurance carriers picked up the tab for an unspecified payment to hackers to end a ransomware attack, MGM has yet to follow suit. The cyber attack on MGM is on its 10th day and is costing the operator as much as $8.4 million per day in lost revenue.

That works out to $84 million — a fraction of the $14.8 billion in consolidated revenue the Cosmopolitan operator generated for the 12 months ending June 30.

While $84 million isn’t a massive number in corporate terms, it’s likely more than what the hackers are demanding and potentially more than MGM needed to allocate to address its cybersecurity needs.