Skip to content

Defending against cyber attacks: Lessons from MGM's $100M breach

Nov. 30, 2023

In an era dominated by technological advancements, the hospitality industry has become a prime target for cybercriminals, with social engineering emerging as a particularly insidious threat. Here, we will delve into the dangers of social engineering cyber attacks on hotels, drawing attention to notable incidents, such as those affecting MGM Resorts and Caesar’s Palace.

The Rise of Social Engineering:

Social engineering involves manipulating individuals into divulging confidential information or performing actions that compromise security. In the context of hotels, this could range from gaining unauthorized access to guest information to infiltrating critical systems.

MGM Breach:

MGM’s recent fall to a massive social engineering attack was one of the most notable breaches in history. MGM has incurred nearly $100M in losses from the event, despite their decision not to pay the demanded ransom.

See More About the MGM Breach

Caesar’s Palace Breach:

Caesar’s Palace, another iconic name in the hospitality industry, faced its own cybersecurity challenge. While not as extensive as the MGM breach, Caesar’s Palace encountered social engineering attacks that likely compromised the data of millions. These attacks often targeted employees through deceptive emails, phone calls, or other communication channels, often impersonating upper management at sensitive times like during the night shift.

See More About the Caesar’s Palace Breach

Understanding the Tactics:

  1. Phishing Emails: Cybercriminals often send deceptive emails that mimic legitimate communication from within the hotel. These emails may contain malicious links or attachments, leading employees to inadvertently disclose sensitive information.

  2. Pretexting Calls: Attackers may use pretexting – creating a fabricated scenario or pretext to obtain information – in phone calls to extract confidential data. For instance, posing as a manager or IT personnel to gain access to employee or guest data.

  3. Impersonation: Social engineers might physically enter the hotel premises, posing as maintenance staff, delivery personnel, or other trusted figures. This allows them to move through the hotel undetected, potentially gaining access to secure areas.

Preventing Social Engineering Attacks:

  1. Employee Training: Regular and comprehensive training programs for hotel staff can help them recognize and resist social engineering attempts.

  2. Enhanced Authentication Measures: Implementing multi-factor authentication and stringent access controls can bolster the security of guest and employee data.

  3. Regular Security Audits: Conducting routine security audits and assessments can identify vulnerabilities and potential points of exploitation.

As hotels continue to embrace digital transformation, the need for robust cybersecurity measures becomes paramount. Social engineering attacks pose a significant threat, and the incidents at MGM Resorts and Caesar’s Palace underscore the importance of a proactive and vigilant approach to cybersecurity in the hospitality sector. By investing in employee training, adopting advanced authentication measures, and regularly auditing security protocols, hotels can fortify their defenses against the ever-evolving landscape of cyber threats.