In the ever-evolving landscape of cyber security threats, no organization, regardless of its size or prominence, is immune to the threat of cyber attacks. The recent breach at MGM Resorts International serves as a great reminder that even giants of the entertainment and hospitality industry can fall victim to cyber criminals.

In this blog post, we’ll not only review what MGM as a company should be doing following this attack but also delve into what your company should be doing, too. Even if your company is not in the hospitality or entertainment industry, any big mainstream news story like this serves as a great opportunity to light a conversation within your company to grow your security culture. 

The MGM cyber attack 

What happened?

On September 11th, casino and hotel chain, MGM, reported a “cybersecurity issue” and stated they needed to shut down their systems to protect their business and customer data. The result? For days there were reports that everything from digital gambling machines to electronic hotel keys were offline. According to Morphisec, these disrupted operations led to a $80 million loss in revenue for the corporation

MGM building
Photo by David Vives on Unsplash

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

 More importantly, the hackers claim to have stolen 6 terabytes of data including the driver’s license numbers and social security numbers of loyalty program members. 

What was the direct cause?

Social engineering. Social engineering is not a technical strategy, but rather a psychological or emotional strategy that an attacker uses in order to convince, manipulate, or trick an employee or data holder to give them access to their systems. 

In this case, the hackers found an MGM employee on LinkedIn and impersonated them in order to trick the IT desk into helping them gain access to the network. After the initial entrance into the systems, they were able to access multiple passwords and launch ransomware attacks. 

Is this type of attack new?

This type of attack is as old and classic as hacking and social engineering can be. Impersonating one person to trick another into gaining access to an email, a locked room, or a hotel room you do not belong in are some of the oldest tricks in the book. 

As long as humans have been around other humans have been engineering them into gaining what they want or need. The reason some people may believe these cyber attacks are new is because cyber security reporting is becoming easier and more popular in mainstream media. 

What should MGM do now?

Having a remediation plan is as important as having cyber insurance, cyber awareness training, or any other step in your security awareness program. Being such a large and prominent organization, we expect that MGM has a remediation plan on deck and has been implementing it immediately. 

If we were MGM, these are some things that would be included in our next steps: 

  • Post an internal and external bulletin about the attack. In this post, we will include all the information we know, including how the attack happened, the suspected data breach, and any next steps we want our customers to be aware of. Transparency is crucial in times like these, so your customers should be notified as soon as it is safe to do so. 
  • Have our security team conduct an attack analysis, identifying any possible current vulnerabilities. After the attackers gained access to the MGM systems they went after OKTA for more privileged account access, MGM shut down these systems although the attackers already had super admin access. Had a thorough analysis been done before deciding to shut down the systems, this could have been caught. 
  • Add additional training and policies for IT desk fraud and social engineering. Since the attackers were able to easily pretend to be someone else and gain access to the network through the IT desk, it is clear there are no personal verification processes (or not enough) through the IT process. Processes to make this impossible a second time should be implemented immediately. All employees should also join training in social engineering. 

What should other companies do?

As a security professional or business owner, after any big cyber security news story hits mainstream media like this one, you need to take action. This story is evidence to your executives and employees that cyber attacks can happen to anyone. Use it as your next tool to start conversations and spark action. 

Share the story

Chances are even people in your organization who aren’t security geeks have briefly seen the “MGM” headlines and wonder what’s going on. Take advantage of this spark of curiosity by sharing the story with the whole organization. 

Book a quick, important meeting with your executives to go over the story. Present the revenue lost due to operational disruptions, the number being asked for ransom, and other numbers that will grab their attention. Draw out the story for them to show how easy it was for these extreme cyber hackers to get into a huge organization with lots of important data. Then, provide your executives with hope and action by telling them what you plan to do to stop this from happening to them.

In your team’s #security or #general channel in Slack, share the story. Identify the threats, assets, and vulnerabilities, and ask a question to continue the conversation. Remember, you don’t want to scare your employees by saying “SEE – This is what happens when you don’t do your training”, but instead encourage reflection and curiosity by sharing the story and keeping the conversation open. 

Analyze if it could happen to you

Conduct a threat analysis of the case. Identify all the vulnerabilities that allowed this attack to occur and then see if they exist within your organization. In this case:

  • What information is available about your employees online?
  • Does your IT Desk have a secure employee identification and confirmation process? Is it strong enough?
  • Will your system alert you when something looks wrong? How often do you check your servers for unusual activity?
  • Do you have a breach action plan?

If any of these vulnerabilities are identified in your organization, act immediately to cover them. 

Implement social engineering training

If anything, let this be a lesson that employees still can and will fall for social engineering attacks. The best way to protect your business from a human risk like this is to implement security awareness training modules specifically for social engineering. 

If you have an IT Help Desk, now is also a great time to implement customized group training. Create a group with all IT Help Desk employees with targeted training that includes identifying employees and stopping social engineering attacks.

A screenshot of social engineering training that could have prevented the MGM attack

Create an IT Help Desk customized training group using Click Armor’s new Customized Training Group Feature. Book a call with us to see a demo

Although the MGM attack is a scary story, don’t let it scare you away from using it as a positive learning opportunity for your organization. Now is a great time to share this story with your team to encourage conversation and grow your security culture. You can also conduct your own threat analysis to identify any vulnerabilities that could lead to a similar attack and pitch the solutions to your executives. Most importantly, use this as the final motivation you need to implement social engineering training for all employees to protect your business and customer data. 


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.