MGM Resorts and Caesars Entertainment have both issued statements confirming they’ve suffered social engineering or cybercrime attacks. Now, one of the hacking groups apparently involved has issued its own statement. However, investors in the companies don’t seem to be particularly concerned, as their stock prices have only taken a slight dip over the past week.
MGM suffered the more outwardly visible consequences of the attack, as its website went offline on Monday, Sep. 11, alongside most digital services at its hotel and retail casino properties. The website is now back online, and the company is reportedly issuing vouchers to its customers for their inconveniences over the past week.
Neither MGM Resorts International 42,43 +0,31% nor Caesars Entertainment 41,47 -1,82% stock has experienced a sharp drop at any point in the ordeal. MGM has dropped 6% over the week in a gradual fashion, while CZR is down about 3%.
The associated online brands, BetMGM Casino and Caesars Palace Online Casino, appear unaffected. BetMGM is operated by a different company than the retail casinos—a joint venture between MGM Resorts and Entain.
A Joint Effort by Scattered Spider and ALPHV
The attacks appear to involve two groups: Scattered Spider, which allegedly performed the social engineering, and ALPHV, which claims to have supplied the ransomware. A statement of responsibility has been circulating, reportedly posted by the latter to its site on the dark web.
In the statement, ALPHV confirms its involvement with the MGM attack. At the same time, it pushes back on what it claims is sloppy reporting by the media and denies that it made some of the claims previously attributed to it. It claims that the MGM outages resulted from the company taking its own systems offline in response to the attack and that ALPHV only activated its ransomware later.
No ransomware was deployed prior to the initial take down of [MGM’s] infrastructure by their internal teams. MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords.
Analysts have pointed to the likelihood of insurance payouts as one reason for the lack of financial panic. Caesars also alluded to that in an SEC filing released on Sep. 14.
In the same filing, Caesars blames the breach on “an outsourced IT support vendor,” which it says was the target of the attack. It goes on to allude to a possible indemnification claim against that third party.
Customer Data May Be at Risk
Based on ALPHV’s claims, it appears the attackers’ goal was to steal sensitive data and hold it for ransom rather than disrupt services.
Caesars’ experience seems to corroborate this. Its SEC filing states, in part:
As a result of our investigation, on September 7, 2023, we determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database. We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor. We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.
Multiple mainstream outlets have reported that unnamed sources said Caesars agreed to pay $15 million (half of what the attackers initially demanded). Caesars’ SEC filing doesn’t explicitly address this but seems to suggest that it might be the case:
We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.
Given that the data was already in the attackers’ possession, it’s unclear what “steps” Caesars might have taken to ensure that, other than complying with demands.
Meanwhile, the purpose of ALPHV’s statement appears to be to shame MGM for not making a similar payment. It says it provided MGM with a link to download the data it had stolen to confirm the hack, but MGM refused to negotiate.
We believe MGM will not agree to a deal with us. […] You believe that this company is concerned for your privacy and well-being while visiting one of their resorts?
The FBI recommends against paying cybercriminals in these cases, saying that it only encourages them and doesn’t guarantee an end to the attack.
Caesars Offers Identity Theft Protection
In its SEC filing, Caesars says it is notifying customers whose data may have been compromised. It says it has not seen any evidence that the data has been “further shared, published or misused.”
Even so, it is offering its customers free credit monitoring and identity theft protection services for early warning in case that changes.
Customers with questions about the breach or who wish to sign up for those services should call the following toll-free number: (888) 652-1580. It is available from 9 a.m. to 9 p.m. ET, Monday through Friday.
The FBI continues to investigate both cases. MGM issued a shorter statement in its own SEC filing on Tuesday. It is identical to that obtained the day before by Bonus via email from MGM’s Executive Director of Communications, Brian Ahern:
MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.