One of my favorite movies is Ocean’s 11.

It was a very well-done movie with a believable plot line: robbing a casino is virtually impossible. That was true, until a cybersecurity threat actor said, “Hold my beer,” and the MGM Grand casino floor looked like this for two weeks.

Being a fan of Vegas myself, I can certainly see the intense security inside a casino. I followed this breach very closely, and I thought I’d revisit it two years later because it contains many important lessons. Now let’s read between the lines as we go through them.

Lesson 1: Cybersecurity is an extremely stressful industry to work in

Everyone’s job in the corporate world has its own stressful moments. I can’t imagine being in HR and having to handle a mass layoff event. But can you imagine working in IT for MGM Grand at the time and getting a call from the casino floor manager saying all of our slot machines are down?

It’s chaos. You go to assess the issue. Something is clearly very wrong. People in suits, who will likely make more money than you ever will, are surrounding you, waiting for you to press a few buttons and bring all of the slot machines back online. You know this isn’t going to be easy to fix. Then they ask the questions we’ve all been asked before in situations like this:

How long will it take to fix?
And the answer to that question is: you have no idea.

In cybersecurity, you can go for weeks without anything eventful happening, only to suddenly find yourself working day and night as the company’s only hope for survival. The stress is real, and only recently has the mental health of cybersecurity professionals started to get the attention it deserves.

Lesson 2: Sometimes you have to make public statements before you know the full impact

MGM Grand was one of the first companies to file an 8-K disclosure for material impact due to a cybersecurity breach. To be completely fair to them, they didn’t have much of a playbook to follow. They had to wing it with this disclosure. And in my opinion, it was a hot mess.

Here’s an excerpt from their September 12, 2023 statement:

On September 12, 2023, MGM Resorts International (the “Company”) issued a statement that it had recently identified a cybersecurity issue affecting certain of the Company’s U.S. systems.

Promptly after detecting the issue, the Company responded swiftly and shut down its systems to mitigate risk to customer information, which resulted in disruptions at some of the Company’s properties but allowed the Company to prevent the criminal actors from accessing any customer bank account numbers or payment card information.

If you work outside of cybersecurity, this statement might make sense. But if you’re in the field, you know the damage had likely already been done. Threat actors don’t want to be found until they’ve achieved their objective. You wouldn’t take down an entire casino floor unless you already had the data you came for.

Based on the ongoing investigation, the Company believes that the unauthorized third-party activity is contained at this time.

But you don’t know for sure. Systems are still down. You’re still investigating. The threat actor might still be inside. That’s not a comfortable place to be.

The Company has determined, however, that the criminal actors obtained, for some of the Company’s customers that transacted with the Company prior to March 2019, personal information (including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers). For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. The types of impacted information varied by individual. At this time, the Company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors.

Why customers who transacted prior to 2019?
Why not customers after 2019?
The answer could be that older customers were on an older, less secure system. This is an issue nearly every large business struggles with, the need to upgrade versus the risk of disrupting a system that works.

Almost every company will claim cybersecurity is of utmost importance. That is, until they see the price tag to fix something, whether it's the cost of an upgrade or the disruption to business. At that point, the old reflex kicks in:
"If it ain’t broke, don’t fix it."

That mentality is the root cause of many cybersecurity incidents.

Lesson 3: Information we place on LinkedIn is a problem

The root cause of this breach was less than spectacular. The threat actor went on LinkedIn, found out who the IT admins were based on job titles, and called MGM Grand’s help desk pretending to be one of them. The password and MFA were reset, and the rest was history.

How often does this happen? Constantly.
Have you ever gotten a text like this?

“Hey, I’m [important name]. I’m in a meeting and I need your help with something. I can’t take a call right now, but it’s urgent.”

How do you think they knew who to impersonate?
How did they get your number?

It all starts with LinkedIn. Threat actors use it to map out company structures, figure out who controls the money, or who has system access. And if you think it’s hard to find someone’s phone number based on name and location, I have news for you. It’s a lot easier than finding your high school crush’s parents land line in the white pages.

If we’re going to build a virtual org chart of our companies on LinkedIn, we should expect to be targeted by scammers.

Lesson 4: BACKUPS BACKUPS BACKUPS

Why did it take MGM Grand weeks to recover?
Because once the threat actors gained access to the environment, they ransomwared the virtual servers. And what’s the standard procedure in a ransomware event?

Restore from backup.

Although it wasn’t explicitly stated, it’s implied that the entire environment had to be rebuilt. Before cybersecurity threats were top-of-mind, IT departments worried about things like hardware failures and natural disasters. Backups were the last line of defense.

Unfortunately, in many organizations, funds have been diverted from routine IT operations into cybersecurity programs. That sounds good, but skipping investments in backups is a huge mistake. You should be able to recover from any event… ransomware, flood, or fire, with your backups.

Lesson 5: What could have been done to prevent this?

As I always say: every breach was preventable.

What went wrong here?
This breach boils down to identity verification during a password reset. Both NIST and ISO 27001 have controls that require strong identity verification before performing account recovery actions.

Had those been followed, the password and MFA wouldn’t have been reset, and the breach wouldn’t have happened.

The causes of breaches almost always come down to simple things, not complex zero-day exploits or nation-state-level malware.

The content of this article is my opinion based on publicly available information. For the most up-to-date and accurate information, please refer to official company statements.