Alastair Miller: A Cautionary Tale From MGM

For one week in September, Vegas came to all but a standstill.

Call centres ground to a halt, parking machines went down, queues of guests waiting to be checked in manually filled hotel lobbies, and booking websites for some of Sin City’s most popular casinos were taken offline for an uncomfortably long time.

Social media was rife with videos of sad-looking gaming floors with blank screens on slot machines, radios were placed in elevators in lieu of emergency phone systems, guests complained of key cards to rooms not working, and much, much more.

This wasn’t caused by a natural disaster or power cut – rather a cyberattack on MGM Resorts, the owner of more than 30 hotels and gaming venues globally.

Hotels are an excellent target for cybercriminals. 

Every day guests are tapping into large WiFi networks, while providing hotels valuable information, including identification documents and credit card details. They’re handing this information over to a revolving door of staff who are operating under security systems that can often be rife with vulnerabilities. 

It’s a goldmine, and hackers are increasingly aware of the opportunities. 

MGM has been hit by more than one cyber-attack. In 2019, approximately 10 million MGM guests had their data published on a Russian hacking forum following a major breach. Another to face multiple hits is Marriott Hotels. In the space of four years, it identified three data breaches, the most recent only happening in June 2022.

These aren’t isolated incidents either. The Hard Rock Hotel and Casino has been breached twice. Adding to this, Radisson Hotel Group and Hyatt are just examples of other big names in the hotel industry that have faced breaches.

What this shows is that hotels are a worthy target for cybercrime. Let’s dig a little deeper into why. 

Hotels have a lot of moving parts, with many people passing through each day. It’s not just guests that come and go from hotels. Big chains like MGM have lots of part-time staff, which means there is regular turnover and different people working at every hour of the day.

Part time staff coming and going, and high turnover rates make it difficult for hotel managers to provide their staff with regular cybersecurity training, leaving ample room for things to go wrong.

Then there are the third parties. Many of these, such as call centres and booking agencies are located in offshore locations with low pay and high turnover. Cybersecurity training and awareness is low and there is a lack of training and process around dealing with social engineering attempts.

But cybersecurity training is vital, as not all cybersecurity breaches happen by accident. Hotel staff and third parties have access to sensitive guest information - even a photocopied driver’s licence or passport can have value on the dark web. With the cybercrime world becoming more intricate there is money to be made by giving away other people’s personal data.

When a hacker looks for a business to target, they look for the places with the weakest cybersecurity. Businesses with tools in place such as multi-factor-authentication, secure internal systems and regular employee training are much less likely to be targeted by a hacker. They’re constantly looking for the low hanging fruit, and a few basic measures can be enough to ensure they move on to the next target. 

Hackers are also on the hunt for high-value guests. Think top-level business executives or well-known people of influence. These kinds of people often stay at hotels, especially 5-star locations. 

Your hotel may not be on a hacker’s radar until a tracked high-value individual hands over their personal information. Suddenly all your vulnerabilities will be tested as they try to get access to these valuable assets. 

But what can hotels do to defend themselves against cyber-attacks?

Employee cybersecurity training is key to protecting against a cyber-attack, the Marriott and MGM breaches proved this to be true. An organisation's biggest vulnerability is its people, teaching people to detect and respond to scams or phishing attempts is a huge step in protecting against cybercrime. 

Hotel managers also need to make sure their employees are not using work devices for personal use, have multi-factor-authentication enabled on all programmes, and ensure work passwords are unique and never shared amongst staff. 

All systems and devices need to be regularly updated as well. Outdated software makes devices vulnerable to breaches, this includes WiFi routers, computers, and phones. In extreme cases, hackers have even gotten system access through out-of-date internet-connected air condition units.

The above are the basics of cybersecurity, but more can always be done to enhance businesses cybersecurity. I’d recommend businesses in the hotel sector take the time to break down their risk profile, test their systems, train staff, and perform simulation cyber-attacks. This would place them best position they can be in to protect against a data breach, or weather the storm if one does occur. 

Hackers don’t care about who they’re targeting, they are simply looking for a weak link. Make sure your hotel doesn’t have a virtual bullseye on its back. 

By Alastair Miller, Principal Advisory Consultant Aura Information Security