Skip to main content
close search
site logo

Experts on how hoteliers can prevent cyberattacks

Cybersecurity pros urge increased attentiveness and awareness in the wake of cyberattacks on MGM Resorts and Caesars Entertainment.

Published Sept. 25, 2023
Jenna Walters's headshot
Reporter
A creative image depicting cybersecurity that includes a lock.
greenbutterfly/iStock/Getty Images Plus via Getty Images

It’s been two weeks since MGM Resorts International first reported it was experiencing a so-called “cybersecurity issue” — since widely reported as a ransomware attack — yet the hospitality giant still remains tight-lipped about the event. 

On Sept. 11, MGM Resorts took to X, the platform formerly known as Twitter, to announce it had identified and was investigating a cybersecurity issue. The attack left the company’s portfolio in disarray, with digital room keys disabled, payment and reservation systems down and gambling machines offline for some time. By day-end, though, MGM posted to X again, saying its resorts were operational. 

The company’s website was down for several days following the attack and it remains unclear if its company email accounts — also disabled the day of the event — are up and running, as MGM’s corporate communications team has not yet responded to Hotel Dive’s request for comment. 

In an update posted to X on Sept. 20, MGM still did not provide insight into the cause of the cyberattack but reiterated, “all of our hotels and casinos are operating normally.” 

Amid the flurry of news coverage, Bloomberg reported that Caesars Entertainment experienced a ransomware attack the week before MGM, in which it paid tens of millions of dollars to the hackers. Caesars filed an SEC report detailing the “social engineering attack on an outsourced IT support vendor.”

It’s been reported that both the MGM and Caesars attacks are the work of a group that goes by Scattered Spider or AlphV. 

In light of both attacks, cybersecurity experts and analysts have weighed in on why hotels and casinos are particularly vulnerable to cyber threats — and what hoteliers can do to avoid them. 

The most vulnerable

While hotels and casinos are not the only businesses susceptible to cyberattacks like ransomware, they are particularly vulnerable because they are high revenue generators that can afford very little tolerable downtime, Chris Denbigh-White, chief security officer for risk and data protection solutions provider Next DLP, told Hotel Dive. 

A hotel with a casino would be more likely than some other businesses to pay ransom to a cybercriminal because it cannot afford the lost revenue from the time its gaming systems are offline or guests are inconvenienced on-site, Denbigh-White said. 

Oscar Morales, a solutions architect at Calian IT & Cyber Solution, agreed that this is a top reason hackers target hotels and casinos. “Bad actors know they have a higher chance of being paid out because of the immediate impact a cyber attack can have on a casino’s brand and bottom line.” 

MGM, specifically, stands to lose upwards of $8 million a day in revenue until it resolves its cybersecurity issue, Fox Business reported. 

Another reason cyber criminals may target a casino, Denbigh-White said, is because they earn money by “winning” it from people — and are less likely to garner sympathy than a large hospital, per se. “[Hackers] have researched their targets…and some ransomware gangs care about those optics,” he said. 

What hoteliers can do

As cybercriminals become wiser, hoteliers need to do the same. 

“With the increasing sophistication shown by hackers, all franchisors and hoteliers must match and exceed their vigilance to protect sensitive information,” Laura Lee Blake, President and CEO of the Asian American Hotel Owners Association, urged in a statement regarding the recent wave of attacks. “Increased attentiveness and surveillance will protect the hotel guest experience, as well as the prestige and reputation of the hotels that the owners have worked so hard to build and maintain.” 

To prevent harmful threats, hoteliers need to start with addressing “low-hanging fruit” when approaching their cybersecurity, Denbigh-White said. 

“There's always a lot of discussion over how do we protect ourselves against these various [large] threats, whilst at the same time [businesses are] not conducting basic cyber security and IT hygiene,” Denbigh-White said. Basic hygiene, he added, means taking steps like understanding what IT assets, identity assets or user accounts a property has, and “ensuring best practices are adhered to in relation to those things.” 

Best practices include ensuring password length complexity, multi-factor authentication and not directly exposing IT kits to the internet, he said. 

Hoteliers should also ensure their security awareness programs for employees are up to date, according to Trustwave SpiderLabs Senior Security Research Manager Karl Sigler. The practice helps prevent social engineering attacks, like those conducted on MGM and Caesars. 

It’s been reported that the hackers impersonated an MGM employee using voice phishing and convinced its information technology helpdesk, managed by identity services provider Okta, into providing them system access. Reuters reported a similar hacking method has been used on several of Okta’s clients since August. 

According to Sigler, it’s likely MGM’s security networks also were not properly segmented. This is when a company divides their security network into multiple segments, each acting as their own subnetwork, to create boundaries between operational technology and information technology. 

“The fact that these [hackers] were able to use Okta, most likely to get access to all of MGM’s 30 different casinos and resorts across the globe, from just one specific attack, one initial foothold… I'm just postulating here but it sounds like [MGM was not] properly segmented off,” Sigler said. “They had all their eggs in one simple basket and Scatter Spider unraveled that basket.” 

Being transparent

Beyond preventative measures, Sigler said it's important for companies to have reactive controls in place as well. 

“There's no such thing as 100% security. Every single organization has some sort of risk associated with it, so these organizations absolutely have to have an incident response process in place,” he said, adding that if a cybersecurity attack does arise, it’s important to practice transparency to stakeholders and customers.

“Transparency these days really provides a level of trust,” Sigler said. “If people know that you've been compromised, but you're being mum about it, it really doesn't engender a lot of trust.” 

Morales agreed that honest communication about a cyberattack will bode well for the business in question, and those that “hide or mislead the truth of what happened in the attack usually end up having customers lose trust in them.” 

MGM, while keeping the public updated to some level via X, has remained rather quiet about the actual cause or status of the attack. 

But, Denbigh-White said, “by no means is it too late” for the company to break its silence and be more transparent with stakeholders and guests — it’s just a matter of if they will or not.

Filed Under: Technology

Editors' pick

Company Announcements

View all | Post a press release
Inn-Flow Partners With DailyPay To Help Boost Hotel Staff Financial Flexibility With New Integ…
From DailyPay, Inc.
November 20, 2024
Stoney Creek Hospitality Rebrands as Embergrove Hospitality Group
From Embergrove Hospitality Group
November 01, 2024

Want to share a company announcement with your peers?

Get started

Read next
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell