MGM Cyberattack Emphasizes Need for Layered Digital Defenses

The odds are stacked in favor of increasingly bold and sophisticated cybercriminals, as MGM Resorts International and Caesars Entertainment learned back in September. This means organizations need multiple layers of defense and heightened vigilance against cyberattacks.

MGM Resorts, which owns and operates multiple hotels/casinos in Las Vegas, including the Bellagio, Mandalay Bay and Luxor, along with other properties around the country, reported a “cybersecurity issue affecting some of the company’s systems” on Sunday, Sept. 10 in a social media post. 

The issue prompted MGM to take some of its systems offline while it dealt with the intrusion and worked with law enforcement. As a result, guests could not use digital hotel room keys, casino gaming was shut down, bars and restaurants could only accept cash, and MGM hotels could not accept new reservations, per news and social media reports. As of Monday, Sept. 11, MGM said systems were again “operational,” but reports of business disruption—and disgruntled guests—continued over the coming weeks.

In light of this large-scale incident, it’s evident that no organization is immune to cyberattacks, subsequent business interruptions and related losses. As such, organizations should make it a priority to assess their current risk management practices and make adjustments as needed to help foster a strong cybersecurity posture. This may entail adopting both technical and operational safeguards (e.g., updated threat detection software, advanced access controls, routine staff training and in-depth cyber incident response planning). 

Businesses Increasingly Encountering Coverage Exclusions for Wrongful Collection of Data

A growing number of businesses have begun leveraging biometrics, pixels and other tracking technology to gather personal information from stakeholders for various HR, advertising and marketing processes; however, doing so poses several data privacy concerns. For instance, businesses that neglect to comply with applicable international, federal and state legislation (e.g., The General Data Protection Regulation, the Health Insurance Portability and Accountability Act, the Biometric Information Privacy Act and the California Privacy Rights Act) when collecting, processing and storing stakeholders’ data could face substantial regulatory penalties, costly lawsuits and associated cyber losses.

Compounding concerns, cyber insurance carriers are increasingly excluding coverage for losses caused by the wrongful collection of data, leaving businesses largely unprotected against this exposure. With this in mind, it’s critical for businesses that leverage tracking technology to maintain compliance with relevant data privacy laws and make it a priority to obtain stakeholders' consent before using their personal information, thus keeping associated cyber losses to a minimum. 

Tips for Protecting Against Doxxing

“Doxxing” is a type of cyberattack that results in the collection and exposure of sensitive information that could damage the credibility or reputation of a person or an organization. With doxxing, a cybercriminal’s goal is to breach, collect and expose documents, often abbreviated as “docs.” This is usually done with the purpose of either harassing, blackmailing or embarrassing the target. Sometimes, doxxing may even be part of the hacker trying to get revenge or incite physical harm.

In a doxxing attack, a cybercriminal may use any of a number of possible methods to gain access to sensitive records. These can vary greatly and include leveraging compromised IP addresses, breaching poorly protected Wi-Fi networks, stalking social media profiles or even using cellphone numbers to learn targets’ personal information.

To help prevent potential doxxing incidents, it’s crucial for businesses to implement and enforce the following cybersecurity practices:

• Require employees to create strong passwords with a variety of letters, numbers and special characters. Have employees use different passwords across their work platforms and accounts.
• Prohibit employees from connecting their devices to untrusted or unprotected Wi-Fi networks.
• Keep software for workplace technology up to date, and avoid installing any unapproved software.
• Implement virtual private networks when possible in order to conceal employees’ IP addresses.
• Instruct employees to steer clear of suspicious websites, be wary of phishing emails, avoid using their work email for personal reasons and refrain from sharing private information on social media. These policies should be followed by all employees, including leadership, whether they are working at the office, remotely, or with company technology or personal devices. 

This Cyber Risks & Liabilities newsletter is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2023 Zywave, Inc. All rights reserved.