Preparing for the Final Draft
Evaluation of MGM Cybersecurity Breach Exposures
How complete was the disclosure? What aspects of the breach were disclosed (Threat - threat agent - vulnerability - actual breach - discovery - investigation - impact - remediation)?
On October 5, 2023, MGM Resorts filed the details of the recently concluded cyberattack on MGM data collection and management systems. The company claimed that hackers had managed to access customer's personal information, including their names, contact information, gender, dates of birth, driver's license numbers, social security numbers, and passport details. However, the hackers are unlikely to have gained access to customer security passwords and payment details. MGM Resorts was unclear about the number of affected users in the recently concluded cyberattack.
How timely was the disclosure? Did it provide adequate time references for evaluation (report, discovery, investigation, and remediation lag)?
The details provided by MGM Resorts in their fillings confirmed that the company systems were breached by a cyberattack leading to stealing customer's personal information. The extent of damages in terms of stealing personal data was reported, and the likely repercussions of economic losses due to the disruption of services were estimated to be more than $100 million in the context of lost earnings.
Did management involve themselves in the disclosure? (signature of C-suite executives)
Yes, as the filings submitted by MGM Resorts on October 5, 2023, were signed by Jessica Cunningham, Vice President, Legal Counsel, and Assistant Secretary of MGM Resorts. MGM Resorts management actively dealt with the impact of cyberattacks and decisions related
to the normalization of services provided by the company. The company had reportedly spent around $10 million in one-time expenses related to the recovery activities from the cyberattack (Page & Whittaker, 2023). MGM Resort management had decided not to pay ransom to the hacker group. It deemed the company's cybersecurity insurance sufficient to meet the economic impact of the recent cyberattacks.