Merchants provide a value to society and pirates harm that. The thieves are providing a value to society in this case by damaging casinos, which provide no value to society and only harm citizens.

Cyber privateering was mentioned like 10-12 years ago. Someone had a blog or similar referring to the 'Morgan doctrine'.

Edit: I found it. It looks more professionally edited and lengthy than when I first came across it in 2010(!).

Link: https://www.themorgandoctrine.com/2010/11/draft-01-cyber-pri...

The Cyber Privateer Code (draft 02—updated on 6/28/2013): - Any unauthorized attempt to access your computer or phish your data access privileges constitutes a crime punishable by the looting of the attacker's assets by an authorized cyber privateer. All assets. Within 6 months of the attack.

- If it is determined that the attacker is acting under explicit instructions from a larger organization or government, the assets of that organization or government are also forfeit to the extent that an authorized cyber privateer may confiscate them within a six month period of the original motivating attack. All assets.

- The individual whose assets were seized by a cyber privateer—or the publicly and legally designated spokesperson for the organization or government whose assets were seized by the cyber privateer—has the "right of parley" with the head of the cyber privateering organization, such meeting to take place online in a two-way video conference, such conference to be publicly recorded by one or both parties and before the disposition of the booty but no later than 10 days from the confiscation.

- Innocent victims whose assets are directly and mistakenly confiscated by cyber privateers (and whose funds are not returned within 10-days after the parley) shall be compensated in an amount equal to four times their loss, with interest accruing on the restitution amount at the rate of twelve percent per annum. This does not include victims of the cyber criminals, since they were already victimized.

- Notifications and requests for parley must be unambiguously left by the cyber privateer so as to allow the right of parley to be exercised in a timely fashion.

*These rules would of course lead to the worlds end in any significant conflict, imo. But it would certainly be fun for a minute.

It never stopped, and the US is one of the worst offenders

Check out War is a Racket, by US general Smedley Butler

Also the Snowden documents and the whole Asange/Wikileaks case

Will we see machineguns and hacker hanging cages installed in their buildings?

God damn them all, I was told / we'd abuse the C's for American gold...

Lots of us foresaw this (and much worse) when Bitcoin appeared.

Security is a SG&A line item, I am sure they are far more fixated on physical security due to their business vertical and had a gap. There will be many cyber companies chomping at the bit to get a piece of the inevitable (I made this number up) 100m MGM will spend on Cybersecurity over the next 5 years.

They won't make the same mistake twice and will build a comprehensive cybersecurity program, and it will succeed. Up until someone questions this cost and they forgot what they are paying for because everything was so smooth and repeat the cycle.

The objective of security is risk identification and management, not creating an impervious barrier for potential adversaries.

> Many companies underestimate threats until something like this happens

Speaking from my experience, many don't understand the threats even after an incident. The reaction is often to add 'more security' under any name. More restrictive policies, more scanning, more layers of MFA - just blindly layering on things because it's seen as 'more secure' without properly understanding how it affects risk is an awful approach to managing security.

Presumably the insurance requires a security audit (yearly?) in order to get in the first place?

As long as the auditors OK'd it then the insurance should pay out. Unless they can show that MGM intentionally lied in the information they gave the auditors -- which will surely now be gone through with a fine-toothed comb.

(See that HN thread from a couple of days ago wondering if they were personally liable for fraud for producing a document lying about pentesting.)

If your employer gives you 2 weeks notice of employment termination, did you lose your job?

After all, it only applies to future payroll periods.

If your salary was cut 20% next year, would you think you were not losing money because you had not yet earned it?

It's a loss of income. This is a common use of the word.

There's lots of instances where I'd agree, but this one seems like a tried and true business with years of revenue to gauge how much they are in fact "losing" on average.

I also wonder how much pressure it puts on MGM - who are no doubt very much aware of the loss (every major outage I've been on eventually comes down to how much did this cost us - whether it's money, customer attrition, customer trust etc) vs how much pressure it puts on executives following along to maybe pay attention to their IT and security teams. Pipe dream.

You're getting a lot of comments to the contrary, but I agree with you.

There is a difference between losing money (like someone is actually stealing the money) and not getting money you were hoping/expecting to get. In this context it can even be a little bit confusing since there are criminals involved that could actually be stealing money.

Language has lots of ambiguities and despite this being a common way of describing this situation, I don't like it. Some people don't like the word "moist" either and that's just fine. It's an opinion.

> I never like it when writers use the word "lose" to describe money not earned.

What the difference between not earning $8M and earning $8M and losing it?

Bank account looks pretty similar.

There's an implied "losing $X [in comparison to expected revenue]" every time they say it.

It's a reasonable perspective from accounting and, in my mind, a reasonable shorthand. For a more literal version of losing, people would be saying misplacing or stealing.

Huh? Google says MGM Resorts opex for 2022 11.6B or 31M/day, net income 1.4B or 3.8M/day.

It doesn't seem unreasonable to say they are, in fact, losing 8.4M/day to opex.

Money not earned is equivalent to money lost in this case. It will affect their quarterly results the same way.

There are multiple things that are done here. Suppose you had great, immutable backups. They still have many things that can ruin your business

1. Restoring networks, servers, third party services with knowledge that anything you restore could be compromised as well. Keys

2. The attackers will then threaten to dump all of your private information.

It is more than just restoring data, it is restoring and resetting your entire infrastructure. And most places have backups, but they don't practice entire restores

Often the attackers wait until the retention policy for backups has been hit before unleashing the payload of ransomware.

This way, even if you have a snapshot from 7 days ago, it's also infected.

Or even worse they have physical access to the backup server/storage and just delete backups infect them as well.

“The DR planning meeting has been once again postponed until next quarter…”

Some middle-manager somewhere, probably.

Yep. They definitely can’t walk down the street to another casino to make poor decisions.

Or they have been telling management for years that security needs to be improved and more spending is needed to do that but management declined to provide funding.

The cybersecurity team will probably take the fall for it, but if I had to take a guess, their budget was probably no where near where it should be for a team that is responsible for protecting $8.4M of revenue a day.

If you're the CISO or whatever it's basically your job to get fired when this happens tbh

I think those heads are on the chopping block no matter which hole they’re hiding in.

Bold of you to assume there was one (before the incident) /s