Steven Zuromski, chief information officer and vice president of information technology at Bridgewater State University, said Monday that the breach should serve as a reminder to consumers to monitor their finances for unexplained charges or new accounts.
Zuromski said a hacker group known as Blackcat or AlphaV has taken responsibility for the attack on MGM, using common methods of phishing and social engineering. The hackers gleaned information from an MGM employee’s LinkedIn account and used that knowledge to impersonate the individual and convince MGM employees to take steps that left the computer systems vulnerable.
“And wreak serious havoc over there for more than a week,” Zuromski said. “It appears to be pretty widespread.”
Widespread enough that Zuromski worries that consumer and account data might have been stolen. “If these actors were able to get this far,” he said. “MGM needs to be thinking very carefully about what data might have been exfiltrated.”
Last week, Caesars Entertainment told stock regulators that hackers stole Social Security numbers and driver’s license numbers of its loyalty program in a recent data breach.
On Monday, MGM executives briefed the Massachusetts Gaming Commission on cybersecurity issues at their Springfield casino, eight days after hackers damaged MGM’s computer systems companywide.
The discussion was kept to a closed-door executive session, just as commissioners did last week when they got an initial rundown on the hack.
STATE'S NEW RULES
Meantime, the Massachusetts Gaming Commission will host a roundtable Tuesday with the state’s sports betting operators to discuss implementation of new personal data rules the commission approved last month, according to spokesman Thomas Mills.
Those rules govern how the state’s in-person and mobile sports betting operators — a list that includes MGM — can collect and store personal data. The rules forbid them from using that data to suggest bets or from using AI or computerized algorithms to make gaming or sports wagering platforms more addictive.
At MGM Springfield and elsewhere, table games, slot machines, ATMs and guest reservation and registration functions were back up to normal Monday. MGM warned that MGM Rewards loyalty program members are still not able to access their benefits, however.
MGM also warned gamblers that there may be times when its ticket-in/ticket-out system is offline. If a ticket is not accepted at the slot machine it can be redeemed at a casino cashier.
MGM CEO William Hornbuckle issued a statement over the weekend thanking employees for their hard work and “good cheer” in the days since the cyber attack.
Beth Ward, MGM Springfield director of public affairs, said: “We continue to work diligently through a cybersecurity issue and we appreciate the commitment, compassion, and resilience of our amazing team members. Guest service is a top priority and we are grateful to our loyal customers for their incredible support during this time.”
'SECURITY HYGIENE'
According to Zuromski, the Bridgewater State expert, most cyber attacks start with social engineering. That’s why it’s important to that everyone gets training like the videos Bridgewater State shows its employees, along with regular reminders not to share information.
“Security awareness training is such a component to overall security hygiene,” he said. “Every employee within the organization is a security practitioner.”
There are also too few experts in the field. Zuromski cited data from the MassCyberCenter at the MassTech Collaborative that says there are more than 750,000 unfilled cybersecurity positions nationally, including 20,000 open jobs in Massachusetts.
The MassCyberCenter is helping to build cyber ranges — classroom and experimental laboratories for cybersecurity the way firearms training happens on a rifle range — both at Bridgewater State and at Springfield’s Union Station.
The Union Station cyber range, recipient last year of a $1.5 million state grant, is the product of a consortium of local colleges including Springfield Technical Community College, Bay Path University, Elms College, University of Massachusetts Amherst, Western New England University, Springfield College and American International College.
The Springfield cyber range is expected to open in early 2024.
©2023 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
