Even some of the country’s largest corporations aren’t safe from hackers. Take it from Caesars Entertainment and MGM Resorts International, which suffered from a cyberattack last month that shook the hospitality industry.
Before we get into how no one’s safe in today’s digital landscape–not even hotel conglomerates worth billions of dollars—let’s recap: On Sept. 7, Caesars’ nine hotels on the Las Vegas Strip were plagued by a cyberattack that the casino giant settled days later with a roughly $15 million ransom payout. However, Caesars’ four-day data breach paled in comparison to the 10-day hack MGM and its 12 Vegas Strip-based hotels suffered from.
More than one week after hackers breached MGM’s computer systems on Sept. 11—which made slot machines go dark, elevators break down, and staffers dish out hundreds of dollars worth of $25 food and beverage vouchers—the Las Vegas-based company tweeted: “We are pleased that all of our hotels and casinos are operating normally.”
Even after MGM resumed as-usual operations, details of the breach—including whether any customer personal info was leaked or if ransom money was doled out—remain unclear, though gaming industry analysts widely reported that the hotel operator was losing as much as $8.4 million per day during the so-called “cybersecurity issue.”
While BizBash can’t fill in the blanks, it can do what it does best and turn this large-scale issue into a valuable lesson for the hospitality, meeting, and event professionals who make up its audience.
Cue Dr. Stephanie Benoit Kurtz, a cybersecurity expert and professor at the University of Phoenix, who explained that it’s actually quite “simple” how Caesars and MGM could’ve fallen victim to such a breach.
“Bad actors are looking for organizations that they can create enough chaos to monetize their efforts,” Kurtz said, hence the ransom money, meaning “all organizations are at risk for cyberattacks regardless of the size or depth of defense that is implemented.”
Put another way, “it is not if an organization will be compromised; it is a matter of when,” Kurtz said.
With that in mind, the best thing for business owners to do is “continue to improve layered defense strategies, be diligent, and regularly test incident response, disaster recovery, and business continuity plans.”
Rather than worrying about preventing a digital attack, “what matters is how quickly the breach can be identified and isolated so that restoration can take place. Unfortunately, the number and complexity of attacks continue to grow and organizations will continue to be breached.”
In fact, ransomware attacks ticked 75% higher per month in the U.S. in the last 12 months, according to the 2023 State of Ransomware Report by anti-malware software Malwarebytes. Between July 2022 and June 2023, “the U.S. was the most attacked country in the world, by far,” Malwarebytes found—suffering 7.5 times more attacks than the No. 2 country, the U.K.
In September, MGM's 12 hotels and casinos on the Las Vegas Strip were hit by a cyberattack that lasted for 10 days.Photo: Shutterstock/Andrew Zarivny
The services industry was the most beleaguered by cyberattacks, followed by the education, healthcare, and IT sectors, though construction, retail, wholesale, F&B, and financial services were also affected, per Malwarebytes.
“Companies in the hospitality and casino industry across the globe are targeted millions of times a day," Kurtz said. "Cybersecurity tools and resources have to create a layered defense strategy and get it right every time. A bad actor, in contrast, only has to get it right once to break in.”
She added, “Understanding how to operate the business while dealing with outages is a part of the reality and should be a key part of any operational strategy."
MGM, for example, adopted its operations at the Bellagio by handing out winnings at working slot machines via handpay, meaning an MGM staffer counted out the cash by hand. And in an effort to appease guests inconvenienced by cyberattack-induced casino outages, MGM’s Aria hotel handed out a $25 dining or beverage voucher.
A casino that was clearly less prepared: Gateway Casino London, which was forced to shutter 14 Ontario, Canada, outposts on April 16 after an online criminal group issued an attack on the slots and table games operator. It wasn’t until April 29 that Gateway began a phased reopening of its properties.
Kurtz cited IBM, which found that the average cost of a breach like the ones these casinos faced in recent months totals an eye-watering $4.45 million. “The implication for organizations in general is loss of revenue, productivity, and costs associated with rebuilding and restoring operations," she said.
“There are various ways that hospitality organizations attempt to reduce guest frustration during any type of outage,” Kurtz noted, adding that companies shouldn’t shy away from giving out freebies when dealing with these costly disruptions. “Vouchers and comps are still very much a part of the industry and how properties can impact the guest experience.”
Among the corporations looking to stay ahead of a potential ransomware attack: the Miami Beach Convention Center, which hosted a venue safety and security training program last month. Check out what tips the venue’s executives shared with its 325 attendees here.
