More importantly, the hackers claim to have stolen 6 terabytes of data including the driver’s license numbers and social security numbers of loyalty program members. 

What was the direct cause?

Social engineering. Social engineering is not a technical strategy, but rather a psychological or emotional strategy that an attacker uses in order to convince, manipulate, or trick an employee or data holder to give them access to their systems. 

In this case, the hackers found an MGM employee on LinkedIn and impersonated them in order to trick the IT desk into helping them gain access to the network. After the initial entrance into the systems, they were able to access multiple passwords and launch ransomware attacks. 

Is this type of attack new?

This type of attack is as old and classic as hacking and social engineering can be. Impersonating one person to trick another into gaining access to an email, a locked room, or a hotel room you do not belong in are some of the oldest tricks in the book. 

As long as humans have been around other humans have been engineering them into gaining what they want or need. The reason some people may believe these cyber attacks are new is because cyber security reporting is becoming easier and more popular in mainstream media. 

What should MGM do now?

Having a remediation plan is as important as having cyber insurance, cyber awareness training, or any other step in your security awareness program. Being such a large and prominent organization, we expect that MGM has a remediation plan on deck and has been implementing it immediately. 

If we were MGM, these are some things that would be included in our next steps: 

• Post an internal and external bulletin about the attack. In this post, we will include all the information we know, including how the attack happened, the suspected data breach, and any next steps we want our customers to be aware of. Transparency is crucial in times like these, so your customers should be notified as soon as it is safe to do so. 
• Have our security team conduct an attack analysis, identifying any possible current vulnerabilities. After the attackers gained access to the MGM systems they went after OKTA for more privileged account access, MGM shut down these systems although the attackers already had super admin access. Had a thorough analysis been done before deciding to shut down the systems, this could have been caught. 
• Add additional training and policies for IT desk fraud and social engineering. Since the attackers were able to easily pretend to be someone else and gain access to the network through the IT desk, it is clear there are no personal verification processes (or not enough) through the IT process. Processes to make this impossible a second time should be implemented immediately. All employees should also join training in social engineering. 

What should other companies do?

As a security professional or business owner, after any big cyber security news story hits mainstream media like this one, you need to take action. This story is evidence to your executives and employees that cyber attacks can happen to anyone. Use it as your next tool to start conversations and spark action. 

Share the story

Chances are even people in your organization who aren’t security geeks have briefly seen the “MGM” headlines and wonder what’s going on. Take advantage of this spark of curiosity by sharing the story with the whole organization. 

Book a quick, important meeting with your executives to go over the story. Present the revenue lost due to operational disruptions, the number being asked for ransom, and other numbers that will grab their attention. Draw out the story for them to show how easy it was for these extreme cyber hackers to get into a huge organization with lots of important data. Then, provide your executives with hope and action by telling them what you plan to do to stop this from happening to them.

In your team’s #security or #general channel in Slack, share the story. Identify the threats, assets, and vulnerabilities, and ask a question to continue the conversation. Remember, you don’t want to scare your employees by saying “SEE – This is what happens when you don’t do your training”, but instead encourage reflection and curiosity by sharing the story and keeping the conversation open. 

Analyze if it could happen to you

Conduct a threat analysis of the case. Identify all the vulnerabilities that allowed this attack to occur and then see if they exist within your organization. In this case:

• What information is available about your employees online?
• Does your IT Desk have a secure employee identification and confirmation process? Is it strong enough?
• Will your system alert you when something looks wrong? How often do you check your servers for unusual activity?
• Do you have a breach action plan?

If any of these vulnerabilities are identified in your organization, act immediately to cover them. 

Implement social engineering training

If anything, let this be a lesson that employees still can and will fall for social engineering attacks. The best way to protect your business from a human risk like this is to implement security awareness training modules specifically for social engineering. 

If you have an IT Help Desk, now is also a great time to implement customized group training. Create a group with all IT Help Desk employees with targeted training that includes identifying employees and stopping social engineering attacks.

Create an IT Help Desk customized training group using Click Armor’s new Customized Training Group Feature. Book a call with us to see a demo. 

Although the MGM attack is a scary story, don’t let it scare you away from using it as a positive learning opportunity for your organization. Now is a great time to share this story with your team to encourage conversation and grow your security culture. You can also conduct your own threat analysis to identify any vulnerabilities that could lead to a similar attack and pitch the solutions to your executives. Most importantly, use this as the final motivation you need to implement social engineering training for all employees to protect your business and customer data. 

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.