Nearly two and a half years have passed since Colonial Pipeline put ransomware into the headlines. Since then, ransomware has ebbed and flowed, but high-profile companies continue to fall prey to cybercrime threat actors, with no end in sight. In a stark reflection of this reality, two behemoth Las Vegas-based casinos—MGM and Caesars Entertainment—became the latest targets, though with one key factor making a difference in the aftermath.
Both attacks reportedly occurred almost simultaneously. MGM was the first to be visibly affected, with operational issues involving slot machines, reservations, and hotel key cards on Sunday, September 10th. Later that week, on Thursday, September 14th, Caesars Entertainment reported that they also had been the victims of a cyber attack, beginning on September 7th.
The filings were significantly different: MGM’s report was a single paragraph and contained few details about the extent of the incident. Caesars' filing was more robust; it described:
The root point of compromise of its network
The extent of personal information that had been compromised
The impact of the incident on Caesars' business operations, and its materiality to their financial condition
The focus of their ongoing response to the attack
Both companies are already the target of shareholder class action lawsuits; those proceedings will certainly draw the attention of those curious about how the SEC will enforce their recently-issued reporting requirements.
The threat actors likely responsible for these attacks are the Scattered Spider hacking group. Scattered Spider is a subset, or affiliate, of the more recognized AlphV, a ransomware threat actor group that has been around since 2021. AlphV is notorious for its attacks on Reddit and MKS Instruments, with the latter costing that business a staggering $200 million in sales.
According to reports, Scattered Spider used similar tactics to exploit both companies’ networks, using social engineering to trick IT help desk employees, then gaining access through Okta’s access management product.
Scattered Spider demanded a ransom payment from both MGM and Caesars, in order to restore their systems and suppress the leakage of stolen sensitive information. Caesars is reported to have paid ($15 million out of the original $30 million demand) for the hackers to delete the data that they collected. According to AlphV, MGM did not engage in negotiations at all. This difference makes for an interesting comparison.
Primarily, the organizations are in the same industries combining a casino with a hotel and resort. On a business level, MGM (NYSE: MGM) and Caesars (NYSE: CZR) are remarkably similar; both are global casino resort operators whose main market is Las Vegas. MGM and CZR have similar stock market capitalizations; before the attacks became public on September 9-10, MGM was valued at $15.2 billion, and CZR had a $11.7 billion valuation. Both pull in several billion annually in revenue ($13 billion for MGM, $10.8 billion for Caesars), and the two organizations are also about the same size (with MGM including 57,000 employees and 49,000 employees). Both companies have similar headcounts (57,000 employees for MGM; 49,000 for Caesars), annual revenues ($13 billion for MGM; $11.7 billion for Caesars), and EBITDA ($3.4 billion for MGM; $3.3b for Caesars).
Although it isn’t clear that Caesars faced a choice between making a ransom payment and shuttering its operations for 10 days like MGM did, spending $15 million to prevent a similar outage looks like a rational, if unfortunate, decision.
Worse, both companies' stocks have taken a beating since the attacks became public. This stands in contrast to a recent report suggesting cyber incidents had not previously impacted public equity valuations. As of Thursday’s (September 21, 2023) close, CZR had shed over $1.5 billion in shareholder equity; MGM lost over $2.2 billion.
Stock market performance of MGM and CZR vs. Gaming Index (BJK) since attacks became public. Teal: VanEck Gaming ETF; Orange: Caesars; Blue: MGM
Both companies' reputations suffered from negative press, but, again, MGM seems to have taken the larger hit. Their case has spurred more Google searches, with their data breach creating worries about leaked confidential information. That isn’t to say that Caesars has escaped with their reputation unscathed - the company disclosed that the hackers copied from a loyalty-rewards database that included social security numbers and driver's licenses.
Many questions still remain in the aftermath of these attacks: What will the long-term impact be on MGM and Caesars? (How) did Las Vegas Sands and Wynn Resorts keep Scattered Spider at bay? Will these events be (yet) another watershed moment for cybercrime, cyber regulations, and law enforcement?
For now, the lessons that stand out are all in the differences between MGM's and Caesars' responses in the immediate aftermath of the attacks: Caesars paid the ransom, while MGM ignored the threat actors. MGM lost 10 days of business; Caesars was able to maintain its operations. Caesars reported thoroughly while MGM kept things close to the vest. So far, at least, Caesars seems to be ahead in the courts of public opinion and the stock market. Stay tuned to Digital Asset Redemption to see how this strange ransomware experiment plays out!