MGM losing up to $8.4M a day due to cyberattack, analyist says

MGM losing up to $8.4M a day due to cyberattack, analyist says

REVIEWJOURNAL.COM
73
10
gmays

Comments

@justsomehnguy

> MGM is not earning up to $8.4M a day due not spending $333.3k a day for a proper measures against cyberattack, analyist says

Fixed

@zephyrus76

This really feels like 1650's nautical piracy. Someone outside the reach of the law of the targeted country's merchants, making tons of money by theft and ransom. And like the pirates of old, often supported by the host nation so long as their attacks disrupt the activities of rivals nations' merchants.

@willis936

Merchants provide a value to society and pirates harm that. The thieves are providing a value to society in this case by damaging casinos, which provide no value to society and only harm citizens.

@kube-system

Casinos provide leisure and entertainment. If what you're actually trying to say is that they are overall a net harm, then I'd point out that imperial mercantilism was also quite harmful to many people. At least MGM hasn't overthrown any countries.

@paulddraper

Depends on what the merchant is selling, I reckon.

@nosmokewhereiam

Cyber privateering was mentioned like 10-12 years ago. Someone had a blog or similar referring to the 'Morgan doctrine'.

Edit: I found it. It looks more professionally edited and lengthy than when I first came across it in 2010(!).

Link: https://www.themorgandoctrine.com/2010/11/draft-01-cyber-pri...

The Cyber Privateer Code (draft 02—updated on 6/28/2013): - Any unauthorized attempt to access your computer or phish your data access privileges constitutes a crime punishable by the looting of the attacker's assets by an authorized cyber privateer. All assets. Within 6 months of the attack.

- If it is determined that the attacker is acting under explicit instructions from a larger organization or government, the assets of that organization or government are also forfeit to the extent that an authorized cyber privateer may confiscate them within a six month period of the original motivating attack. All assets.

- The individual whose assets were seized by a cyber privateer—or the publicly and legally designated spokesperson for the organization or government whose assets were seized by the cyber privateer—has the "right of parley" with the head of the cyber privateering organization, such meeting to take place online in a two-way video conference, such conference to be publicly recorded by one or both parties and before the disposition of the booty but no later than 10 days from the confiscation.

- Innocent victims whose assets are directly and mistakenly confiscated by cyber privateers (and whose funds are not returned within 10-days after the parley) shall be compensated in an amount equal to four times their loss, with interest accruing on the restitution amount at the rate of twelve percent per annum. This does not include victims of the cyber criminals, since they were already victimized.

- Notifications and requests for parley must be unambiguously left by the cyber privateer so as to allow the right of parley to be exercised in a timely fashion.

*These rules would of course lead to the worlds end in any significant conflict, imo. But it would certainly be fun for a minute.

@nico

It never stopped, and the US is one of the worst offenders

Check out War is a Racket, by US general Smedley Butler

Also the Snowden documents and the whole Asange/Wikileaks case

@pphysch

The "World's Policeman" thesis really fell flat.

There is an urgent need to have effective international law-enforcement and justice.

@
[deleted by user]
@readyplayernull

Will we see machineguns and hacker hanging cages installed in their buildings?

@lainga

God damn them all, I was told / we'd abuse the C's for American gold...

@zephyrus76

We'd file no bugs / thread no peers...

@tpmx

Lots of us foresaw this (and much worse) when Bitcoin appeared.

@irtefa

I'm curious if MGM fully understood their cyber risks. Many companies underestimate threats until something like this happens. After seeing MGM, if other hotels beef up security too (very likely), will overall costs for consumers go up?

@xfitm3

Security is a SG&A line item, I am sure they are far more fixated on physical security due to their business vertical and had a gap. There will be many cyber companies chomping at the bit to get a piece of the inevitable (I made this number up) 100m MGM will spend on Cybersecurity over the next 5 years.

They won't make the same mistake twice and will build a comprehensive cybersecurity program, and it will succeed. Up until someone questions this cost and they forgot what they are paying for because everything was so smooth and repeat the cycle.

The objective of security is risk identification and management, not creating an impervious barrier for potential adversaries.

@jarym

> Many companies underestimate threats until something like this happens

Speaking from my experience, many don't understand the threats even after an incident. The reaction is often to add 'more security' under any name. More restrictive policies, more scanning, more layers of MFA - just blindly layering on things because it's seen as 'more secure' without properly understanding how it affects risk is an awful approach to managing security.

@insanitybit

> Katz told investors in his Thursday and Sunday reports that damages from the cyberattack at MGM would be claimed against insurance, but it’s unclear just how much would be covered.

I'm curious to see how this plays out. After all, if MGM is audited and found to have been negligent, would insurance pay out at all?

@crazygringo

Presumably the insurance requires a security audit (yearly?) in order to get in the first place?

As long as the auditors OK'd it then the insurance should pay out. Unless they can show that MGM intentionally lied in the information they gave the auditors -- which will surely now be gone through with a fine-toothed comb.

(See that HN thread from a couple of days ago wondering if they were personally liable for fraud for producing a document lying about pentesting.)

@insanitybit

The audits you get for something like SOC2 are quite weak, I'm very curious to learn if the insurance team's audit is more thorough (if they perform one).

@Eji1700

I suspect that's just an initial breakdown. They're estimating 4.2 to 8.4 million a day out of the 42 million they normally make, but that's just on the revenue side.

Equipment, man hours, botched projects, and lawsuits are going to push that number waaay higher, and even then I feel like it's got to be pretty low given the vast amount of money that passes through every day. On a 15% hold 42 million would work out to 280 billion of flow through the slots max (and obviously that's estimating high and assuming all revenue is from slots).

So 8 million a day is $53 billion in coin in that's not occurring? Maybe that's correct.

Doing quick napkin math so pardon any errors.

@kneel

MGM is smart for not paying.

You can't let the scammers dictate what a casino does, MGM is already in the business of scamming people. They'll build their whole system from the ground up and be incredibly resistant to future attacks.

@anonymousiam

I never like it when writers use the word "lose" to describe money not earned. Yeah, MGM is not earning as much as it could because of this attack. They are under pressure to settle with the attackers. Articles like this can increase that pressure. I'm glad that they aren't settling, and I'm certain that they will survive this attack.

@rahimnathwani

If your employer gives you 2 weeks notice of employment termination, did you lose your job?

After all, it only applies to future payroll periods.

@SoftTalker

If your salary was cut 20% next year, would you think you were not losing money because you had not yet earned it?

@kube-system

It's a loss of income. This is a common use of the word.

@bqmjjx0kac

Well, it's a loss of projected income, which in many ways is not real.

@CamelCaseName

It's not even that, it's revenue.

> MGM Resorts International could be losing between $4.2 million and $8.4 million in daily revenue

@kube-system

Revenue is a measure of income. Unless speaking about specific types of revenue or specific types of income, they are synonymous.

@
[deleted by user]
@kube-system

It is just plain normal language to refer to a loss as a comparison against a current trajectory or current state. It is reasonable to assume that the reader/listener knows that the future cannot be predicted exactly, because this is generally true. This is why it isn't said explicitly.

It would be silly to correct someone who said "I just accepted a $120,000/yr job" with "you don't really know for sure, you could get fired or die". The colloquial presumption is that the rate of future income cited is dependent on a steady trajectory without confounding variables.

@Groxx

It's real enough that companies regularly borrow against it, which is about as real as anything is with money.

@JumpCrisscross

> it's a loss of projected income, which in many ways is not real

About as real as money.

@paulddraper

It's more real than not.

@libraryatnight

There's lots of instances where I'd agree, but this one seems like a tried and true business with years of revenue to gauge how much they are in fact "losing" on average.

I also wonder how much pressure it puts on MGM - who are no doubt very much aware of the loss (every major outage I've been on eventually comes down to how much did this cost us - whether it's money, customer attrition, customer trust etc) vs how much pressure it puts on executives following along to maybe pay attention to their IT and security teams. Pipe dream.

@RandallBrown

You're getting a lot of comments to the contrary, but I agree with you.

There is a difference between losing money (like someone is actually stealing the money) and not getting money you were hoping/expecting to get. In this context it can even be a little bit confusing since there are criminals involved that could actually be stealing money.

Language has lots of ambiguities and despite this being a common way of describing this situation, I don't like it. Some people don't like the word "moist" either and that's just fine. It's an opinion.

@paulddraper

> I never like it when writers use the word "lose" to describe money not earned.

What the difference between not earning $8M and earning $8M and losing it?

Bank account looks pretty similar.

@NegativeK

There's an implied "losing $X [in comparison to expected revenue]" every time they say it.

It's a reasonable perspective from accounting and, in my mind, a reasonable shorthand. For a more literal version of losing, people would be saying misplacing or stealing.

@SeanAnderson

Huh? Google says MGM Resorts opex for 2022 11.6B or 31M/day, net income 1.4B or 3.8M/day.

It doesn't seem unreasonable to say they are, in fact, losing 8.4M/day to opex.

@slashdev

Money not earned is equivalent to money lost in this case. It will affect their quarterly results the same way.

@snickerbockers

How is it even possible for all aspects of such a massive enterprise to all share a single point of failure like that? And why can't they just cut their losses on the past N days of business, restore all these servers from snapshots and get back to business?

@specialp

There are multiple things that are done here. Suppose you had great, immutable backups. They still have many things that can ruin your business

1. Restoring networks, servers, third party services with knowledge that anything you restore could be compromised as well. Keys

2. The attackers will then threaten to dump all of your private information.

It is more than just restoring data, it is restoring and resetting your entire infrastructure. And most places have backups, but they don't practice entire restores

@SteveNuts

Often the attackers wait until the retention policy for backups has been hit before unleashing the payload of ransomware.

This way, even if you have a snapshot from 7 days ago, it's also infected.

Or even worse they have physical access to the backup server/storage and just delete backups infect them as well.

@jachee

“The DR planning meeting has been once again postponed until next quarter…”

Some middle-manager somewhere, probably.

@guestbest

People are saving up to $8.4M a day due to cyberattack, and gambling addicts are being spared, analysts say

@SnorkelTan

Yep. They definitely can’t walk down the street to another casino to make poor decisions.

@jiofj

Imagine being one of the guys in charge of cybersecurity of MGM. I would dig a hole and hide.

@graton

Or they have been telling management for years that security needs to be improved and more spending is needed to do that but management declined to provide funding.

@jszymborski

The cybersecurity team will probably take the fall for it, but if I had to take a guess, their budget was probably no where near where it should be for a team that is responsible for protecting $8.4M of revenue a day.

@insanitybit

If you're the CISO or whatever it's basically your job to get fired when this happens tbh

@ComputerGuru

I think those heads are on the chopping block no matter which hole they’re hiding in.

@NegativeK

I'd say that responsible organizations know that a hack is inevitable and you evaluate based on the response, but I've heard from people who've worked at MGM in the past that the place is disgustingly cutthroat.

@Sytten

Bold of you to assume there was one (before the incident) /s