The personal details of more than 10.6 million MGM Resorts International (MGM) guests were published on a hacking forum last week.
According to ZDNet, MGM said, “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts... We are confident that no financial, payment card or password data was involved in this matter.”
The issue reportedly stems back to July 2019 when guest records started to appear on hacker forums, and MGM indicated that it notified customers at that time.
A $15+ billion global hospitality and entertainment company, MGM management and shareholders can look at this breach as a one-off incident or as part of a more systemic risk that needs to be managed. It is likely that the external cyber forensic firms that conducted the post-breach investigation indicated to management that no financial or payment card information was compromised. However, a couple of things worth noting about a higher-profile customer data breach of this kind:
- Limited financial impact of customer data breaches. Customer data loss breaches cause damage, but not of the same magnitude as business disruption breaches, even with consumer discretionary companies that are more sensitive to public reputation. For example, competitor Sand’s customer data breach in 2014 did not result in any sustained financial impact.
- Proactive or reactive discovery of breach. It is not clear whether MGM identified the breach itself and then notified customers of the stolen data, or if the discovery of customer data on hacker forums led to MGM’s recognition of the breach. Approximately 70% of breaches go undetected by companies and an even larger percentage go unreported completely, according to Cyberhedge data.
MGM operates globally and increasingly relies upon digital technology to function. It initiated a digital transformation process a few years ago, in part with the aim of improving the customer experience from booking to check-out. A market seeking more “frictionless” experiences demands that companies like MGM undertake these efforts. The new customer platform and digital tools also greatly increase MGM’s ability to gather highly valuable customer behavioral data. However, as Marriott learned in late 2018, these initiatives also create additional vulnerabilities for business operations that can lead to costly disruptions if compromised. For example, a ransomware attack on the MGM network impacting the booking system would get very costly very quickly, which is why breaches that disrupt business lead to much greater shareholder value loss and take longer to recover from than breaches that compromise customer data.
Moving forward, the question for shareholders should be whether this incident is an indication of wider cyber governance challenges within the company. A customer data breach is never positive, but the risk of a business disruption is what management should be focused on in the realm of cyber risks.