“What are we supposed to do? Call the cops? It’s already out there!”: Recent MGM hack exemplifies the uncontainable results of a data breach

By: Nicole Kardell

A hacker has posted to a public forum the personal details for more than 10.6 million former hotel guests of MGM Resorts. Information now available for all to see includes: full names, home addresses, phone numbers, emails, and dates of birth. Making it most newsworthy is that the likes of Justin Bieber, Jack Dorsey (Twitter’s billionaire CEO), among other celebs, prominent business folks, and government officials are included in the 10.6 million.

An interesting feature of the recent data leak is that it stems from a breach, to which MGM timely responded, last summer. And even though MGM appears to have done everything right at the time—promptly notifying impacted individuals, hiring forensics firms to investigate, and instituting measures to enhance security—the breach reared its ugly head this week, Hydra-style.

The problem is that a data hack is like a gas leak: once personal data is publicly exposed, it is impossible to contain. ZDNet reports that the hotel guests’ data had been shared in several closed-circle hacking forums since last summer before its recent, more public, release. Now those former MGM guests face a “higher risk of receiving spear-phishing emails, and being SIM swapped.”

The MGM Resorts hack and follow-on leak serve as a painful reminder of the prevalence and costs of data breaches. According to Risk Based Security, breaches in 2019 were up 33% over the prior year, with a total of 7.9 billion exposed records. IBM estimates that the average cost of a breach is just under $4 million. And the story comes but a month after a UNLV conference discussing, among other things, privacy protections in the gaming industry. At the conference, which Ifrah Law sponsored, panelists noted that certain industries are more susceptible to data hacks, and the gaming industry is one of those industries. Repeated cyber attacks on the Hard Rock Casino bring the industry’s susceptibility to light.

Casinos need to be in the vanguard of tech advancements and data security. But alas, they are not. At the end of 2019, data security vendor Upguard posted its analysis of cyber security for some of the industry’s main players. The results were reasonably disappointing, including calling Caesar’s Palace “poorly protected.” As we’ve discussed in the past, companies cannot rest on their proverbial laurels when it comes to data security. They need to prepare and do their best to prevent security vulnerabilities. There seems to be a disconnect in the gaming industry (as well as in other industries) between likelihood of risk and cost of protecting against that risk. The cost is small in comparison to the likelihood of a breach and the costs of that breach.

MGM now faces bad publicity, lost consumer confidence, inevitable lawsuits and increased scrutiny. Other industry players (and all companies large and small) should heed the moral of the story: Prevention is the best preparation. Do your best to avoid data security vulnerabilities. Learn your weaknesses upfront from a technical and a legal standpoint. And invest in enhanced data security and regulatory compliance.

Because once data is exposed, you are at the mercy of a merciless Hydra.