A Grand Failure At MGM

It was early on a Monday morning and I wanted to kill some time at the casino.  I was staying at the Delano – part of Las Vegas’ Mandalay Bay – and I had to pick up some friends in a little while and take them to the airport.  The casino was a bit different however…most of the machines were off.  That was the second sign that something was seriously wrong. 

When I found a machine that was actually working and put a twenty-dollar bill into it, it didn’t recognize my players’ card.  Because of that I cashed-out, not wanting to play without receiving the loyalty credit.  The machine then alerted me that I had to wait for an attendant to come-by to give me a “hand-pay” of my twenty bucks.  That was the third sign of trouble.  The first sign actually took place the night before, when I opened my MGM app after a particularly expensive dinner with friends to make sure that I got credit for the spend, and the app reported the system was “undergoing maintenance” (which I believed at the time.)  Now I put 1, 2 and 3 together and figured out that there was something seriously wrong.

I wish I could tell you the hacking story at MGM Resorts is unique, but it is not.  After many rounds of layoffs that decimated their IT team despite the firm showing soaring profits (3.94 billion), their IT systems were simply a joke of vulnerability just waiting to happen.  When a hacking group hit them and demanded ransom, which MGM didn’t pay, their entire technology world was taken down.  At that point all us guests learned just how tied-together their various systems were.

Commenting only on the state of the technology, there is NO EXCUSE for a firm the size of MGM to not have their systems isolated from each other to some degree.  For a single hack to be able to take down slot machines, ATMs, in-room TV menus, their website, their app, room keys, credit-card readers, heck – even the kiosks one uses to retrieve a valet-parked car or pay for parking – is simply unforgivable.  IT professionals know that these various systems should be isolated to some degree, so that just such a failure or breach won’t cascade like it did.  This applies to every enterprise, but one that deals with millions in cash every day should have been especially hardened – and it clearly was not.  Every enterprise needs to educate their staff about phishing, spear-phishing, and other hacks, but once a system is compromised, the damage should be limited by the network design.  Again, clearly at MGM, it was not.     

As I write this blog, MGM has re-launched a new website, but for weeks if you tried to click “sign-in or sign-up” it didn’t work.  The equivalent of this in the frequent-flyer world would be getting no credit for your flights, not being able to spend your miles, not being able to buy a ticket with cash and list it to your account, not being able to spend any credits you have, not being able to see if the promised point bonuses were credited, and not even being able to see the status and/or balance of your account.  How much money would an airline lose per day if that was their state?  Well, that is MGM’s state today…and for more than a week now…at every single one of their resorts across the US.  (Today, about a month later, you can see your reservations, but still not your account status)

Then, add to all of the above the news that that the Caesars resort chain was also hacked a few weeks ago and they decided to pay the ransom to not get shut down.  Who knows what personal information hackers have of Caesars customers.

Las Vegas resorts (as well as the entire travel and hospitality industry) are actively cutting services and personnel and charging some of the highest prices ever.  The greed of their leaders is clearly visible, with them wanting to maximize profits by cutting back wherever they can.  Hopefully MGM and everyone else has learned that many of said cuts leave them vulnerable to millions and millions in losses and reputational damage.  Maybe now some of these leaders will be replaced by people who will be happy with slightly lower profits at safer, fairer and smarter organizations.