When you read that MGM casinos in Las Vegas were under cyber attack, you probably envisioned a sophisticated remote hack in the style of a Hollywood blockbuster. As the hoodie-clad hacker typed furiously on a keyboard, malware raced through the system, hotel keys failed to open doors, slot machines stopped working and lucky winners in casinos received handwritten receipts just to wait hours to collect their cash. Hotel booking systems and online sports betting went offline. While all of these electronic failures happened, the cybercriminals gained access to the systems through a simple phone call in a technique called vishing.

Vishing, like phishing, is a type of social engineering. Instead of email, vishing uses a voice call to get login credentials to access a targeted system. The attacks show how even organizations that you might expect to be especially well protected from cybersecurity attacks are still vulnerable. The weakest link is almost always people and the MGM attack was no exception.

We now know that Caesars was attacked at about the same time but did not suffer the same operational issues as MGM. Why? Because once the hackers had gained control of the systems, they demanded ransoms — Caesars paid a $15 million ransom and experienced only a few days of disruption to its services, while MGM refused to pay or negotiate with the attackers.

Last week, MGM filed a disclosure with the SEC and reported it lost about $100 million as a result of the attack. The company said it spent around $10 million to investigate the breach and repair its systems. To put the expenses in perspective, MGM reported $2.1 billion in revenue in the second quarter of this from its Las Vegas properties alone.

Ransomware investigations fall under the jurisdiction of the FBI which strongly discourages paying ransom because payment does not guarantee victim files will be recovered. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and fund illicit activities, according to FBI guidance.

There are several lessons to be learned from the casino hack. First, how can you protect yourself from a vishing attempt? First, assess your risk as a target. If you have a position with a well-known company that gives you broad access to your firm’s systems, you are at a higher risk than someone who has minimal access and works for a lesser-known company. Now take a look at the information publicly available about you online. From an attacker’s viewpoint, he or she will be looking for personal data that can be used to impersonate you. Think about the security questions you use as a backup to your passwords. If they involve answers that someone could get from your LinkedIn or Facebook profile or your company bio, you are vulnerable.

When choosing security questions, avoid fact-based ones such as “What is your mother’s maiden name?” Instead, choose preference questions and answer with a response that would be tough to guess. Remember, it doesn’t have to be true. Write them down and store in a secure place — not on your computer. And just like passwords, use different questions for each site that requires security questions so that if one set of credentials is hacked it won’t give access to other websites.

Check with your IT department to make sure sufficient procedures are in place to verify the identity of employees both within the company and with third-party providers. In the MGM case, it is thought that the criminal group posed as a high-level MGM employee with a password reset request to a third-party help desk, and that’s all it took to gain access to the system.

If, like some MGM guests, you find out that your data has been compromised, there are things you can do after the fact to protect yourself and your accounts. MGM finally let guests know that the hackers accessed names, contact information, gender, date of birth, and driver’s license, passport and Social Security numbers from “some customers” before March 2019. The company is providing free credit monitoring services to them.

Anyone who has personal data compromised in a data breach should carefully check their bank statements for at least a year following the incident because it can take that long or longer for stolen information to be used in identity theft. Change any passwords associated with the breach and cancel any credit cards that could have been involved.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.

Newsletter