The MGM Data Breach: 10 Important Lessons to Limit Your Cybersecurity Flaws

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy

• MGM Resorts shuts down IT systems and slot machines go quiet following “cybersecurity incident” – BitDefender

• Massive MGM and Caesars Hacks Epitomize a Vicious Ransomware Cycle – WIRED

• MGM Grand Cyberattack Allegedly Caused by 10-Minute Phone Call – Gizmodo

• Hackers claim it only took a 10-minute phone call to shut down MGM Resorts – Engadget

Episode Transcript

A couple of weeks back, a series of unexpected disruptions hit the MGM Grand Casino. Guests faced challenges accessing their rooms, slot machines went offline, and ATM issues on the casino floor caused a stir. MGM vaguely attributed these hiccups to a “cybersecurity incident.” However, for those familiar with the realm of cybersecurity, the nature of these issues paired with MGM’s statement clearly hinted at a successful cyberattack.

The Cause of the MGM Data Breach

The root of MGM’s vulnerability? They became the victim of a massive cyberattack due to an amalgamation of policy failures and system vulnerabilities. The attackers easily breached MGM’s defenses, largely credited to weaknesses such as credential stuffing (indicative of poor password practices), social engineering tactics, insecure administrative password resets, and the absence of system segregation. Shockingly, the assailants claimed to have taken only about 10 minutes from their initial intrusion to gain full control over MGM’s systems. While the Blackcat ransomware group has claimed responsibility, verifying their involvement remains challenging without further evidence.

This incident not only underscores the urgent need for rigorous cybersecurity measures but also exposes a significant gap in our understanding of cyber threats. Often, the real depth of a cyberattack and the company’s missteps only come to light if insider information is leaked. This lack of transparency might be contributing to the complacency around cybersecurity. As the aftermath unfolds, one cannot ignore the series of avoidable lapses that led to this situation.

“Credential Stuffing” and the MGM Data Breach

As of now, the primary suspected method of infiltration was “credential stuffing.” Before diving in, it’s essential to recognize that as with most cybersecurity breaches, the details are often fluid and can change as investigations proceed.

“Credential stuffing” involves attackers taking already breached usernames and passwords and “stuffing” them into various systems, hoping for a match. A common human flaw is the tendency to reuse passwords across multiple platforms. If one of these platforms suffers a breach, attackers then have a set of credentials they can potentially use elsewhere. Once a vulnerability is discovered, the clock starts ticking. MGM’s hackers might have gained access within an impressive 10 minutes, a duration that many might scoff at but becomes plausible when understanding the nature of cyberattacks. 

Once inside, attackers typically gauge their level of access and strategize accordingly. If their access is limited, they probe for easy pickings or paths to escalate their privileges. In MGM’s scenario, it seems they contacted MGM’s helpdesk, leveraging further vulnerabilities, to gain even more access, eventually compromising MGM’s Okta infrastructure.

The Keys to MGM’s Kingdom: Identity Management Infrastructure

Okta functions as an identity provider, streamlining an organization’s identities to facilitate secure and seamless access to its various systems. While some refer to Okta as an SSO (single sign-on) provider, its role is much deeper. Okta not only offers single-click access to multiple applications but also controls an organization’s identity across numerous systems, including cloud systems and core control systems like Active Directory. Gain administrative access to Okta, and you’ve practically hit the cybersecurity jackpot.

This incident also draws attention to the interconnected nature of today’s corporations. MGM Entertainment isn’t just one entity; it’s a conglomerate with various components. Penetrate one, and you might gain access to multiple sectors. Such access doesn’t stop with one organization. The reach could extend to associated or umbrella entities – essentially granting control of multiple “kingdoms.” 

Hacks that target infrastructure like Okta should also serve as a wakeup call for managed service providers (MSPs). These providers often manage networks for numerous clients. Should an MSP be compromised, potentially hundreds of businesses could be at risk. An MSP’s credentials can potentially grant attackers high-level administrative access across multiple companies, especially when MSPs use infrastructure tools intended to simplify access to multiple systems. Infrastructure tools like the ones taken advantage of to access MGM.

The “Human” Factor in the MGM Data Breach

The MGM hack also underscores the importance – and vulnerability – of the human element in cybersecurity. The attackers reportedly identified a helpdesk employee via LinkedIn, gleaned information about the employee, and made a call pretending to be said employee. All within 10 minutes. This “social engineering” approach exposes the frailty of human-driven security protocols. The ease with which the attackers bypassed the helpdesk’s validation procedures is alarming.

In the dynamic world of cybersecurity, it’s easy to forget that criminals, while often painted with a broad brush, possess intricate motives and strategies. Criminals, by their very nature, are looking for the easiest path to their reward. But honestly, who isn’t? In reality, just like everyone else, cyber criminals are trying to optimize their effort based on the potential payout. Make your data a tough nut to crack, and they’re likely to move onto an easier target. 

But when the stakes are high – think gaining access to a data goldmine – their dedication to the task can skyrocket. The best cyber criminals know how to exploit people – it’s quite literally their profession. They knew what to say, how to act, when to push, in order to get a person whose literal job is security to provide access in a way that was contrary to cybersecurity principles. They’re good at what they do.

The Other Heist: Cyberattack at Caesars

While MGM’s breach grabbed headlines, another casino – Caesars – has had its own share of cybersecurity problems. A public filing revealed a significant cyberattack on their hotel loyalty program. Hackers stole personally identifiable information, including members’ social security and driver’s license numbers. Caesars even reportedly paid approximately half of a $30 million demand to prevent the hackers from leaking the data.

Here’s the unnerving part: Why would a loyalty program have such sensitive information in the first place? This leads us to the principle of “Data Minimization” – the practice of collecting only the essential data and nothing more. It’s a cornerstone of GDPR, and the CCPA has highlighted its importance too. But, despite its crucial role in privacy, it appears that many have missed the memo.

Side note: What’s even more baffling is the decision to store this data alongside other personal details, turning the database into a one-stop-shop for hackers. As privacy professionals, it’s agonizing to witness such basic missteps, especially when they lead to massive breaches.

10 Lessons to Learn from the MGM Data Breach

What, then, are the lessons we can learn from the MGM (and Caesars) breach?

1. Least Privilege Principle: The mantra is simple: if you or your employees don’t need access, they don’t have it. This concept ensures restricted access to data, systems, and workstations. And remember, not every standard user requires admin access!
2. Network Segregation: Size doesn’t matter; what matters is structure. Large, interconnected networks need boundaries. Don’t mesh your core identity system with unrelated ones like the door card or fire suppression system. By segregating systems, you create hurdles for malicious actors or software, buying defenders extra time to intervene.
3. Public Attack Surface: Anything unnecessarily open to the public is a golden ticket for hackers. Shield it behind VPNs, implement zero-trust network architectures, and ensure your online assets aren’t just sitting ducks.
4. Password Hygiene: You’ve heard it before. Hear it again: Passwords should be complex. But gradually move away from passwords. Look into app-based connections, identity providers (IDP), hardware tokens like UB keys, and more. These are your future guardians against cyber threats.
5. Good Practices for Privileged Users: Companies with helpdesk personnel need to realize the kind of power these roles hold. Policies must be foolproof and strictly followed. Any anomaly should raise a flag.
6. Cybersecurity Training: Gone are the days when phishing was just about the notorious “Nigerian prince.” Modern phishing campaigns are sophisticated, mimicking genuine company communications. Awareness and training are the best defenses against these.
7. Re-thinking Public Networks: Here’s a revelation – it’s not about LinkedIn being public; it’s about our verification systems. If identity verification can be done using LinkedIn data, the verification process needs a revamp. Employees should have unique identifiers, not based on public information.
8. Vulnerabilities of New Helpdesk Employees: The newer members, eager to make a mark, might be more vulnerable to crafty social engineering. They need special attention and training. Their inexperience shouldn’t become a company’s Achilles’ heel.
9. Senior Management’s Role: It’s not just about the newbies. Senior management can sometimes be the culprits, pressuring lower-rank employees to bypass security. Cybersecurity should be top-down, with senior execs leading by example.
10. Inconvenience is Cool: Here’s the finale – it’s time to embrace inconvenience in the name of security. Not everyone needs access to everything. Restriction might not sound cool, but it’s a strong deterrent for potential cyber threats.

Bonus: Take protecting the data you’ve been entrusted with seriously. Employing policies that take the lessons of data minimization to heart will save you, your business, and your customers a lot of heartache by making sure that you only have the data you need. 

In conclusion, to prevent becoming the next big cyberattack headline, businesses must re-evaluate their cyber practices. It’s a blend of technology, processes, and most importantly, mindset changes, starting from the C-suite to the fresher in the helpdesk department. Embrace security, even if it means a tad bit of inconvenience. After all, better safe than sorry!

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.