Intruders breached the computer system of the multibillion-dollar hotel and casino operator, crippling hotel operations and exposing private customer data.
The city of Las Vegas (CN) — On Friday, MGM Resort International encountered a class action lawsuit resulting from a significant data breach that compromised the personal information of its customers and disrupted its operations. This incident followed a similar class action lawsuit against Caesars Entertainment, another prominent establishment on the Vegas Strip, for a comparable cyberattack.
On September 7th, unauthorized individuals successfully infiltrated the defendant’s network by assuming the identity of an IT administrator and acquiring login credentials. According to the lawsuit filed by Emily Kirwan on behalf of herself and other members of MGM’s loyalty program impacted by the cyberattack, the hackers proceeded to restrict access to the defendant’s network, thereby preventing resort guests from utilizing various electronic amenities such as room cards, Wi-Fi, ATM kiosks, electronic gaming devices, and other services provided by the resort.
Kirwan, who is being represented by attorney Nathan Ring from the law firm Stranch, Jennings & Garvey, asserts that MGM did not fulfill its responsibility to protect and uphold sufficient protocols to prevent the unauthorized exposure of consumers’ data.
Kirwan (year) argues that MGM’s negligence and failure to adhere to “adequate and reasonable” data encryption methods and practices resulted in the exposure of individuals’ full names, dates of birth, residences, email addresses, phone numbers, Social Security numbers, and/or driver’s license numbers. According to the lawsuit filed on Friday in federal court in Nevada, Kirwan asserts that the behavior in question can be classified as negligence and is in violation of both federal and state statutes.
The responsibility for the attack has been claimed by two cybercriminal organizations. In the lawsuit, it is stated that a hacker collective, referred to as “The Scatter Spider,” has asserted responsibility for the theft of a substantial amount of data, specifically “six terabytes,” from Kirwan, a prominent hotel and casino operator with significant financial worth.
The second entity, ALPHV, mentioned in the lawsuit as a ransomware criminal organization, asserted that they had acquired “personally identifiable information.”
According to Kirwan, customers have experienced several injuries due to the actions of the defendant. These injuries include invasion of privacy, the loss of time spent trying to minimize the effects of the data breach, and the ongoing and heightened risk to their personal information.
According to Kirwan, the personal information of consumers may be at risk of additional unauthorized disclosures due to MGM’s failure to implement necessary and sufficient security measures.
MGM acquires clients’ personal information by means of its MGM Rewards Program. The clients were assured through “promises and representations” that their personal information would be securely and confidentially safeguarded.
On September 11th, 2023, MGM issued a communication to notify customers of a cybersecurity incident that had impacted some systems within the organization. As per the claim made by a cybercriminal organization responsible for the attack, the unauthorized individuals were able to breach the defendant’s systems by employing a straightforward social engineering technique wherein they assumed the identity of an employee to acquire access credentials. According to Kirwin’s statement in the lawsuit, when the threat actors successfully infiltrated the network, the cybercriminals proceeded to distribute ransomware with the intention of restricting access to the defendant’s network. This was done as a means of exerting pressure on the defendant to comply with their demands for a ransom payment.
According to Kirwan, it is asserted that MGM had knowledge of its susceptibility to this form of attack due to prior warnings from its IT vendor, Okta. These warnings highlighted a recurring trend of social engineering attacks targeting IT service desk personnel, wherein the caller’s objective was to persuade service desk personnel to reset all multi-factor authentication factors associated with highly privileged users.
Following the occurrence of a cyberattack, a protracted period of queuing transpired for over a week throughout the majority of the lobbies of MGM locations. This was a result of the compromise of the reservation systems, which necessitated personnel to abandon the use of computers and instead engage in manual labor to fulfill their duties.
According to a statement made by MGM Resorts International on the social media platform X (formerly known as Twitter), the company has successfully restored normal operations following a 10-day computer shutdown. MGM Resorts International is the owner of various properties located in Nevada, Massachusetts, Michigan, Mississippi, Michigan, Ohio, and New Jersey. The Las Vegas assets owned by the firm encompass several renowned establishments situated along the Strip. Notably, these include the MGM Grand, which holds the distinction of being the largest hotel-casino on the Strip with a staggering 5,000 rooms. Additionally, the company’s portfolio comprises esteemed properties such as the Bellagio, Vdara, Cosmopolitan, and Mandalay Bay.
At the time of printing, Ring and MGM were unavailable for comment.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Article Here: