Full Report
MGM Resorts International agreed to pay $45 million to settle multiple class action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023.
Analysis Summary
# Incident Report: MGM Resorts Dual Incidents (2019 Data Breach & 2023 Ransomware)
## Executive Summary
MGM Resorts International experienced two significant security incidents: a data breach in July 2019 exposing customer personal information, and a disruptive ransomware attack in September 2023 impacting widespread operations across Las Vegas properties. The incidents ultimately led to the consolidation of 14 class action lawsuits, resulting in a preliminary $45 million settlement agreement to compensate affected customers.
## Incident Details
- Discovery Date: Incident 1 (Data Breach) - July 2019; Incident 2 (Ransomware) - September 2023
- Incident Date: Incident 1 - July 2019; Incident 2 - September 2023
- Affected Organization: MGM Resorts International
- Sector: Hospitality/Casinos/Gaming
- Geography: Las Vegas, Nevada (implied by operations)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2019 (Data Breach); September 2023 (Ransomware Attack)
- **Vector:** Not explicitly detailed for 2019 breach, but the 2023 attack was ransomware, later attributed to actors connected to the BlackCat/Alphv gang.
- **Details:** The 2019 breach resulted in the theft of names, addresses, and passport numbers of 37 million customers.
### Lateral Movement
- **Details:** The 2023 ransomware attack caused widespread operational failure, knocking slot machines, hotel keys, and ATMs offline, suggesting successful network-wide deployment of malicious payload.
- **Data Exfiltration/Impact:** Data stolen across both incidents included names, addresses, passport numbers, driver’s license numbers, military ID numbers, and Social Security numbers.
### Detection & Response
- **How it was discovered:** The 2019 breach data was later leaked onto a hacking forum. The 2023 ransomware attack was immediately evident due to massive widespread system outages.
- **Response actions taken:** The company faced numerous mediations, culminating in an agreement on October 31 to pay $45 million to settle 14 consolidated class action lawsuits. MGM reported losing approximately $100 million related to the 2023 incident alone.
## Attack Methodology
*Note: Specific detailed methods are limited, relying on incident type.*
- **Initial Access:** Unspecified for 2019 breach; Likely phishing/compromised credentials for 2023 ransomware, given Alphv group's typical methods.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Implied access to sensitive PII suggests credential harvesting occurred during both incidents.
- **Discovery:** Not detailed.
- **Lateral Movement:** Successful in deploying ransomware across critical infrastructure in 2023.
- **Collection:** Large-scale collection of customer PII (names, addresses, government IDs).
- **Exfiltration:** Data stolen in 2019 was leaked publicly on a forum post-breach.
- **Impact:** Operational shutdown (slot machines, keys, ATMs) and massive PII loss in 2023.
## Impact Assessment
- **Financial:** Settlement agreed at $45 million (to victims, fees, and services); MGM reported an internal loss of approximately $100 million concerning the 2023 incident.
- **Data Breach:** Over 37 million customers affected across both incidents. Data included passport numbers, driver’s license numbers, military IDs, and SSNs.
- **Operational:** "Chaotic scenes" in Las Vegas; hotels unable to accept credit cards; manual processing of transactions required at casinos. Systems down for days.
- **Reputational:** Significant negative publicity, resulting in multiple class-action lawsuits and ongoing FTC investigations.
## Indicators of Compromise
- *No specific IP addresses or URLs were provided in the context and thus are not listed here.*
- **File indicators:** Ransomware deployment artifacts (specifics unknown).
- **Behavioral indicators:** Widespread system outages across multiple hotel/casino functions.
## Response Actions
- **Containment:** *Not explicitly detailed, but necessary actions followed the 2023 detection.*
- **Eradication:** *Implied system rebuild/cleanup following ransomware deployment.*
- **Recovery:** Restoring critical hotel and gaming systems; calculating losses manually during downtime. Finalizing a $45 million legal settlement.
## Lessons Learned
- The organization was susceptible to compromise on multiple occasions across several years, highlighting potential gaps in defense-in-depth security posture.
- Failure to adequately protect highly sensitive PII resulted in extensive liability and subsequent litigation.
- Severe disruption to core business operations (payment processing, access control) indicates lack of segmentation or robust offline contingency planning.
## Recommendations
- Implement comprehensive, multi-factor authentication across all enterprise and network access points.
- Review and enhance segregation of networks accessing critical infrastructure (e.g., gaming systems vs. standard corporate IT).
- Develop and regularly test comprehensive offline business continuity plans capable of bypassing systems crippled by ransomware.
- Investigate potential vulnerabilities related to the 2019 initial access vector to ensure the root cause has been remediated.