Cyber Insurance Blog

What Insurance Brokers Can Learn from the MGM Cyber Attack

What Insurance Brokers Can Learn from the MGM Cyber Attack

The word “casino” brings to mind an atmosphere of thrilling games, dazzling lights, and fortunes won or lost at the toss of a die. But recently, it became the backdrop for a real-life drama when a cyber attack crippled the operations of MGM Resorts International, one of the world’s largest gambling conglomerates. The MGM cyber attack should serve as a grave reminder to Cyber Insurance agents and brokers about the vulnerabilities companies face and the expensive ramifications that ensue.

MGM Cyber Attack: What Happened?

People playing slot machines at MGM casino.

On Sept. 11, MGM announced a significant “cyber security issue” affecting its systems. This was no minor glitch. Reportedly, digital hotel keys malfunctioned, slot machines went haywire, and even the company’s websites went dark. As a result, guests faced long waits for physical room keys and had to contend with manual processes for their casino winnings.

However, the nightmare didn’t end there. On Oct. 5, the casino giant delivered more distressing news. Hackers had accessed the personal data of some of its customers, including names, contact information, and more sensitive details such as passport and Social Security numbers. The data breach involved customers who utilized MGM services before March 2019.

Yet, what’s truly alarming about the MGM cyber attack is not merely the disruption it caused but the apparent ease with which the hackers, believed to be the group Scattered Spider, infiltrated the systems. By using a social engineering attack, specifically “vishing” (voice phishing), they reportedly exploited human vulnerabilities to gain access.

The Human Element: The Weakest Cyber Security Link

Casino manager becomes agitated while on the phone upon realizing he's a target of a vishing scam.

Despite advanced security infrastructure, many companies remain vulnerable due to human error. Scattered Spider, known for its prowess in social engineering, reportedly found an employee’s details on LinkedIn. By impersonating this employee, they persuaded MGM’s IT help desk to provide them with the necessary credentials.

While digital cyber attacks like malware and ransomware grab headlines, social engineering attacks, especially vishing, present a growing threat. It’s alarming how a simple phone call, combined with information publicly available on platforms like LinkedIn, can pave the way for such significant breaches.

Stephanie Carruthers, a “chief people hacker” for IBM, encapsulates this threat succinctly. She explains how vishing is often simpler and more effective than its digital counterparts. But despite its increasing prevalence, many companies overlook vishing in their cyber security training.

The Financial Impact: A Costly Affair

As MGM’s operations stalled, the financial ramifications became evident. The company expects the MGM cyber attack to dent its third-quarter results by a whopping $100 million. Additionally, they foresee one-time costs of less than $10 million associated with the attack. The incident will undoubtedly affect the company’s reputation, potentially leading to decreased customer trust and long-term financial implications.

A Warning for Cyber Insurance Professionals

Cyber broker smiles sitting at desk in office.

For Cyber Insurance agents and brokers, the MGM cyber attack is a cautionary tale. It’s clear that the future of cyber security isn’t just about thwarting sophisticated digital breaches but also about addressing the human element.

Companies should be educated on the dangers of social engineering attacks regardless of their size or industry. Employees at all levels need comprehensive training on identifying and responding to such threats.

For those affected by breaches, quick damage control is imperative. While MGM offers free identity protection and credit monitoring, customers are advised to be proactive. Checking bank statements, being cautious of suspicious emails, and even considering freezing credit cards are steps in the right direction.

In conclusion, the MGM cyber attack showcases the multifaceted nature of today’s cyber security threats. As Cyber Insurance professionals, staying updated and educating clients on the evolving nature of these threats is no longer just an option: It’s a necessity.

In the face of rising cyber attacks, your business clients need Cyber Insurance protection now more than ever. From small startups to large enterprises—any organization that handles digital data can benefit. Learn about who needs Cyber Liability Insurance and how to sell it.

Subscribe to Our Monthly Newsletter!

    Retail vs. Wholesale Brokerage

    Experts Weigh In

    Get the eBook