Nevada regulator calls for answers after MGM cyberattack
Gaming Commissioner Brian Krolicki suggests regulator is keen to get a “good handle” on breach which left operator immobilized
Representatives from the Nevada Gaming Commission (NGC) have called for greater transparency on the recent cyber and ransomware attacks which hampered MGM Resorts and Caesars Entertainment’s operations.
In a meeting of the NGC, which took place at the end of last week, NGC commissioner Brian Krolicki weighed in on the high-profile incursions by hackers into the land-based operations of MGM Resorts and the theft of personal data from Caesars’ loyalty program members.
“It would be, I think, important and certainly enlightening given the recent events of the past weeks regarding cybersecurity and ransomware, and particularly to MGM and to our friends at Caesars…how it impacts our world, our regulatory responsibilities,” Krolicki said.
“Right now, the priority is just to recover and make sure that patrons are made whole, the systems are secure.
“But I think at some point in time when there is the energy and understanding of what just happened, if we could get some kind of briefing on what’s transpired that’s appropriate and for public record, and perhaps policy going forward,” he added.
MGM Resorts was hit by a cyberattack on September 10, with the breach having a significantly detrimental effect on the firm’s operations, most notably in Las Vegas where thousands of resort visitors were affected.
The initial hack saw customer reservations, on-site cash withdrawals, and slot machines on casino floors unusable at up to 30 venues.
On September 21, MGM Resorts confirmed its return to full operations, however some promotional offers may still be unavailable following the outage. Hacker collective ALPHV/BlackCat took responsibility for the hack, although this has yet to be confirmed by the operator.
MGM Resorts’ rival operator Caesars Entertainment confirmed it had been targeted by hackers in a ransomware attack in a Securities and Exchange Commission (SEC) report on September 15.
The operator revealed it had been the subject of a so-called “social engineering” attack on an outsourced IT vendor used by the company.
Data stolen included a copy of the Caesars Rewards loyalty database, including driver’s license numbers and social security numbers, with the firm still investigating the true extent of the breach.
According to media reports, Caesars paid the hackers – reported to be Scattered Spider – $15m to ensure that the data taken remained private and unpublished.
“How do we avoid these things? If they do happen, what are the reporting schemes? Were these immediately reported to the Gaming Control Board?” Krolicki asked.
“There are a lot of questions, a lot of publicity. It’s a global story and I just think it would behoove all of us to really get a good handle on just what happened,” the NGC commissioner added.