illustration of three headed dragon

“What are we supposed to do? Call the cops? It’s already out there!”: Recent MGM hack exemplifies the uncontainable results of a data breach

“What are we supposed to do? Call the cops? It’s already out there!”: Recent MGM hack exemplifies the uncontainable results of a data breach

February 21, 2020

“What are we supposed to do? Call the cops? It’s already out there!”: Recent MGM hack exemplifies the uncontainable results of a data breach

By: Nicole Kardell

A hacker has posted to a public forum the personal details for more than 10.6 million former hotel guests of MGM Resorts. Information now available for all to see includes: full names, home addresses, phone numbers, emails, and dates of birth. Making it most newsworthy is that the likes of Justin Bieber, Jack Dorsey (Twitter’s billionaire CEO), among other celebs, prominent business folks, and government officials are included in the 10.6 million.

An interesting feature of the recent data leak is that it stems from a breach, to which MGM timely responded, last summer. And even though MGM appears to have done everything right at the time—promptly notifying impacted individuals, hiring forensics firms to investigate, and instituting measures to enhance security—the breach reared its ugly head this week, Hydra-style.

The problem is that a data hack is like a gas leak: once personal data is publicly exposed, it is impossible to contain. ZDNet reports that the hotel guests’ data had been shared in several closed-circle hacking forums since last summer before its recent, more public, release. Now those former MGM guests face a “higher risk of receiving spear-phishing emails, and being SIM swapped.”

The MGM Resorts hack and follow-on leak serve as a painful reminder of the prevalence and costs of data breaches. According to Risk Based Security, breaches in 2019 were up 33% over the prior year, with a total of 7.9 billion exposed records. IBM estimates that the average cost of a breach is just under $4 million. And the story comes but a month after a UNLV conference discussing, among other things, privacy protections in the gaming industry. At the conference, which Ifrah Law sponsored, panelists noted that certain industries are more susceptible to data hacks, and the gaming industry is one of those industries. Repeated cyber attacks on the Hard Rock Casino bring the industry’s susceptibility to light.

Casinos need to be in the vanguard of tech advancements and data security. But alas, they are not. At the end of 2019, data security vendor Upguard posted its analysis of cyber security for some of the industry’s main players. The results were reasonably disappointing, including calling Caesar’s Palace “poorly protected.” As we’ve discussed in the past, companies cannot rest on their proverbial laurels when it comes to data security. They need to prepare and do their best to prevent security vulnerabilities. There seems to be a disconnect in the gaming industry (as well as in other industries) between likelihood of risk and cost of protecting against that risk. The cost is small in comparison to the likelihood of a breach and the costs of that breach.

MGM now faces bad publicity, lost consumer confidence, inevitable lawsuits and increased scrutiny. Other industry players (and all companies large and small) should heed the moral of the story: Prevention is the best preparation. Do your best to avoid data security vulnerabilities. Learn your weaknesses upfront from a technical and a legal standpoint. And invest in enhanced data security and regulatory compliance.

Because once data is exposed, you are at the mercy of a merciless Hydra.

Nicole Kardell

Nicole Kardell

Nicole is a certified privacy professional with expertise in European privacy law (CIPP/E), in particular GDPR. She helps companies navigate the changing face of privacy regulations and keep their business practices and partnerships in compliance with the law both domestically and abroad.

Related Practice(s)
Other Sports Posts
Six Ways to Delay a Supplier’s Licensure to Service Gaming Operators
Ifrah on iGaming |
Jul 5, 2024

Six Ways to Delay a Supplier’s Licensure to Service Gaming Operators

By: Jeffrey Hamlin
Sports Betting Advertisement Numbers Actually Decreasing
Ifrah on iGaming |
May 2, 2024

Sports Betting Advertisement Numbers Actually Decreasing

By: Jordan Briggs
Ohtani-Mizuhara Scandal: A Case for Regulated Sports Betting, Not Against It
Ifrah on iGaming |
Apr 11, 2024

Ohtani-Mizuhara Scandal: A Case for Regulated Sports Betting, Not Against It

By: Jake Gray
Say it Ain’t So, Oh!
Ifrah on iGaming |
Apr 3, 2024

Say it Ain’t So, Oh!

By: James Trusty

Subscribe to Ifrah Law’s Insights