MGM The resorts have now recovered from the September cyber attacks that took much of the company’s casino computer systems down for weeks. CEO Bill Hornbuckle addressed the company’s response to the challenges created by the security breach recently during his remarks at the World Gaming Expo in Las Vegas.
Overall, Hornbuckle was pleased with how the company responded to several challenges that included shutting down the company’s websites, online hotel registration, company email, several slot machines, and several of the company’s computer systems. The issue was raised MGM Casinos are in several states across the country, most notably in Las Vegas where they operate MGM Grand, Bellagio, Aria, The Cosmopolitan, Mandalay Bay and others.
“We found ourselves in an environment where we were in complete darkness for the next four or five days, with 36,000 hotel rooms and some regional properties,” he said. “Literally, the phones, the casino system, the hotel system — and I could go on and on — weren’t working. So… you’re putting the company on the line.”
Lessons learned
During many of these types of cyber attacks, hackers are often able to take control of a company’s systems until the ransom is paid. The cybercrime group demanded $30 million from… MGM. The Tsars had been subjected to a similar attack in the days before MGM After being hacked, it paid a $15 million ransom to regain control of many of its systems.
Hornbuckle says the company’s technical call center was socially engineered by the hackers, meaning the attacker actually contacted the center to extract information from employees to gain access to the systems. He said that the company learned lessons from the experience, and is happy that it did not give in to the demand.
“We’re proud of what we did. We didn’t pay the ransom,” he said. “The way you organize your environment. If they go into one, they won’t go into all, it’s critical engineering. This is probably the second biggest takeaway.
“In our example, one of the things we were able to protect was banking information, credit card information — and nothing got out. And so, even despite the size of the breach we had, that type of information wasn’t made public.
The entire ordeal will cost the company about $100 million, but much of that amount will be covered by insurance, Hornbuckle said. The company continues to work on strengthening its systems to ensure that the possibility of a similar attack in the future is reduced.
