MGM Resorts International recently reported that a cyberattack that occurred in September 2023 would cause a $100 million hit to its third-quarter results. One of the world's largest gambling firms, MGM shut down its systems after detecting the attack in order to contain damage. It expects to also incur close to $10 million as a related one-time cost in the quarter ended on September 30, 2023.
However, this is not the first cybersecurity incident reported by MGM. In February 2020, MGM suffered a significant data breach that exposed the personal information of over 10.6 million guests, begging the question of whether any lessons have been learned.
And other hotel chains have experienced similar breaches. In 2018, Marriott revealed a massive breach that exposed nearly half a billion of their customers' data.
7 Cybersecurity Lessons
- Cloud Security is Crucial: MGM's 2020 breach occurred due to a misconfigured cloud server. Organizations must understand that securing data stored in the cloud is just as important as securing data on their internal servers. Implementing robust cloud security measures, such as proper access controls and encryption, is essential.
- Regular Security Audits are Essential: Frequent security audits and vulnerability assessments can help organizations identify and rectify potential weaknesses before they are exploited by malicious actors. In MGM's case, a routine security audit could have revealed the misconfiguration before it led to a breach.
- Educating Employees is Key: Human error is a leading cause of data breaches. Employees must be educated about cybersecurity best practices and trained to recognize potential threats, such as phishing attempts. A well-informed workforce can act as the first line of defense against cyberattacks.
- Incident Response Plans are Vital: A well-defined incident response plan is crucial for minimizing the impact of a breach when it occurs. Organizations must have a clear protocol for detecting, responding to, and recovering from security incidents.
- Transparency and Communication: MGM Resorts' prompt acknowledgment of the breach and communication with affected guests helped maintain trust in the brand. Transparency and open communication with stakeholders are critical during and after a data breach.
- Compliance with Data Protection Regulations: Organizations, especially those handling personal data, should comply with data protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Compliance not only helps protect data but also avoids hefty fines and legal consequences.
- Encryption and Data Minimization: Encrypting sensitive data and practicing data minimization—collecting and storing only the data necessary for business purposes—can limit the potential damage of a breach.
In an era where personal information is increasingly valuable to cybercriminals, organizations must prioritize cybersecurity measures, employee training, and proactive security audits to stay ahead of evolving threats.
While no system can be entirely impervious to attacks, organizations can take proactive steps to minimize their risk and respond effectively when a breach occurs. Cybersecurity is not a one-time investment but an ongoing commitment to protecting sensitive data and maintaining the trust of customers and stakeholders.
ShareVault has been providing organizations of all types and sizes with secure document sharing solutions for over 15 years.