As you may recall, Amaturo Sonoma Media Group—ASMG, which publishes this magazine—suffered a ransomware attack in late June. The attack caused four of ASMG’s radio stations to go off the air and encrypted all of its business data and backups. ASMG chose not to meet the ransom demand, instead choosing to painfully reconstruct their systems.
In September, two publicly-traded Las Vegas casino groups—MGM Resorts International and Caesar’s Entertainment—were hacked by attackers who threatened to release customer data to the public. While the hackers demanded a ransom in these cases, as well, both companies could access their data unimpeded. Unlike ransomware attacks, the threat hinges on the many downsides—particularly for a public company—of having sensitive data stolen.
Caesar’s experienced a breach of its customer rewards database on Aug. 23, which was not discovered until Sept. 7. Per a Sept. 14 filing to the U.S. Securities and Exchange Commission, the stolen data “includes driver’s license numbers and/or social security numbers for a significant number of members in the database.” The filing continues: “We have no evidence to date that any member passwords/PINs, bank account information or payment card information were acquired by the unauthorized actor.” Reportedly, Caesar’s paid “tens of millions” of dollars to the criminals to prevent release of customer data. Although the exact number of affected members was not reported, a required filing with the Maine Attorney General’s office indicated that over 40,000 Maine residents were affected, which suggests that the total number was much, much larger.
MGM reported “cybersecurity issues” on Sept. 11. It appears that they did not choose to pay the ransom, as normal operations were not restored until nine days after the attack. On Oct. 5, MGM provided additional details about the attack: names, contact information, gender, date of birth, and driver’s license, passport and even Social Security numbers from “some customers” were stolen.
Both companies were apparently hacked using “social engineering,” which means convincing people within an organization to provide information allowing unauthorized access to the organization’s systems. The hackers appear to have employed “voice phishing” or “SMS phishing”, which can make a phone call or text appear to be from a trustworthy source. On social media platform X, user vx-underground commented: “All [the MGM hackers] did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33.9 billion was defeated by a 10-minute conversation.”
In another forum, one reader gave a more detailed explanation, “If I had to guess, they figured out some super admins [names] from LinkedIn then called the help desk impersonating them and ask[ed] for a password/MFA [multi factor authentication] reset—surprisingly a lot of orgs don’t verify callers for these kind of requests.”
While MGM and Caesar’s are large, publicly traded companies, even small organizations can fall victim to social engineering, particularly phishing attacks—by voice, SMS or the more common email variety. Sadly, the only answer is to make sure that your employees are educated about the threats and know how to respond to requests for access to your systems. With phone-based fishing, remember that a bad actor is faking their number. To verify someone is calling from a given number, call them back at that number.
Big hacks on well-known companies make the news, but the reality is that cyberattacks on small businesses are increasing even faster than the average, because smaller organizations tend to have weaker (or non-existent) security. Even though the payouts are smaller from these easier targets, it also reduces the chance that law enforcement will pursue the criminals.
Finally, I’ve been thinking about doing a column addressing your pet peeves with technology. Here’s one of mine: We have an “internet-enabled” oven from General Electric, which allows us to control all the oven functions from an app on our phones. Great, right?
There’s only one hitch. To do anything remotely with the oven, you have to press the “Remote Enable” button on the control panel beforehand. In other words, you have to know, before leaving the house, that you plan to use the oven. This is completely at odds with my most common use case: on the spur of the moment, I decide to buy something to bake in the oven (e.g., takeout from Papa Murphy’s pizza, or a frozen lasagna from Safeway), and I can’t start the oven remotely.
GE’s support site lamely recommends “pressing the Remote Enable button each time you turn off the oven (or remove your food) so this feature will be ready for remote use the next time you need it.” And I understand that GE probably feared a lawsuit from someone forgetting they stored something flammable in the oven and burning down their house. But it really defeats the whole purpose of remote access.
Is it just me? If you have a particularly irritating bit of tech in your life, drop me a line at mike@mikeduffy.com.
