Pro Take: MGM Casino Hack Shows Challenge in Defending Connected Tech
The cyberattack on MGM Resorts International this week has highlighted the difficulty in keeping sprawling tech infrastructure and thousands of employees secure, amid a push by the hospitality sector to integrate internet-connected technology.
Long lines at casinos in Las Vegas, locked hotel rooms and downed slot machines this week show how a cyberattack can be devastating to even well-resourced operations, experts say.
That the attack had such an impact on a major operator, in an industry that has always been heavily focused on security, came as a shock to some observers.
“I’ve been around this industry for a very long time, and not much surprises me anymore, but I was pretty surprised to see this,” saidAlex Hamerstone,advisory solutions director at cybersecurity company TrustedSec, who works with casinos and hotels.
Hamerstone said that a combination of the shift to online services with sports betting becoming legal in many states, the use of internet-connected machines on gambling floors, and a growing dependency on mobile technology for hotel procedures such as guest check-in and room entry have expanded the ways in which hackers can break into systems.
Managing infrastructure on the scale of a large casino or resort is no small task. Companies should consider redundant systems which can kick in if primary servers are taken out of commission, saidNick Hyatt,cyber practice lead at Denver-based security company Optiv. Ensuring that critical applications are protected by walling them off from the wider network is also important, he said.
“While back-end infrastructure being affected can cause serious performance issues and slowdowns, when things like slot machines and hotel door keys don’t work, that gets out on social media and can have widespread reputational effects,” he said.
The use of many internet-connected devices in environments such as hospitality organizations can also complicate matters for defenders. These devices often don’t have the same security protections as more advanced systems, and can be compromised to gain access to a network. Deploying zero-trust networks, in which users are constantly challenged so as to stop hackers from spreading unchecked once they are inside networks, is crucial, saidSaeed Abbasi,manager of vulnerability and threat research at cloud-security companyQualys.
Equally important, saidMatt Belkin,chief operating officer of insurer Acrisure’s Cyber Services unit, which provides cybersecurity and incident response services, is making sure that employees are properly trained. Sophisticated technology and round-the-clock monitoring can be defeated if an employee isn’t aware of how to detect social-engineering schemes or clicks on a malicious link, he said.
Social-engineering tactics were reportedly used by hackers in a recent compromise ofCaesars Entertainment,which also operates casinos on the Las Vegas Strip. People familiar with the matter told The Wall Street Journal that the company paid a ransom to the attackers to avoid disruption to its business. MGM hasn’t said whether it received a ransom demand.
Geoff Haydon,chief executive of cybersecurity company Ontinue, said that even when companies take extreme measures to contain an attack, such as shutting some systems down entirely, that can be disruptive in its own right. The interconnected nature of technology in hotels and casinos also means that by gaining entry to just one system, hackers can often find routes to others, he said.
The hospitality industry is an attractive target to hackers because of the high levels of sensitive financial and personal information hotels and casinos hold on customers, saidBryon Hundley,vice president of intelligence operations at the Retail and Hospitality Information Sharing and Analysis Center, a cyber intelligence platform for those industries.
MGM said in a statement Monday that guest services were operational, but that it was continuing to investigate the attack. As of early afternoon Wednesday, its website was still down with a holding page that offered refunds to customers who had booked a trip this week.
Casino goers posting to platforms such as X, formerly known as Twitter, and TikTok have expressed frustration at the outages. They said that long lines at hotel check-ins have persisted, and employees are being forced to conduct checkouts and payouts from gambling machines manually, with many outlets accepting cash only.
—Catherine Stupp contributed to this article.
Write to James Rundle at james.rundle@wsj.com