Rewards members filed lawsuits against the gaming companies citing a lack of adequate cybersecurity measures. Can the possibility of similar attacks put attendee data at risk?
Five lawsuits were filed last week against MGM International and Caesars Entertainment. The lawsuits allege that the gaming giants did not have adequate cybersecurity measures in place and failed to notify customers in a timely manner. Hackers claim to have gained access to roughly six terabytes of customer information.
All lawsuits seek monetary damages for alleged breach of contract, negligence, and unjust enrichment. Additionally, they seek restitution for all damages, including punitive, actual, and statutory damages, along with the cost of jury trials.
The plaintiff’s suits contend that both companies neglected to take the necessary measures to safeguard reward club member’s data, including sensitive information, violating Federal Trade Commission standards for the industry. The lawsuits also contend that those affected by the data breach caused by the cyberattacks must now monitor financial data for the rest of their lives.
According to plaintiff Emily Kirwan’s lawsuit, MGM “was aware that it was vulnerable to this type of attack because the IT vendor that it relied upon, Okta, had warned of “a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication factors enrolled by highly privileged users.”
The Impact on Meeting Planners
The Security Exchange Commission (SEC) adopted the final rules on disclosing cybersecurity disclosures last July and went into effect in September. This adds an additional item to the list of concerns carried by meeting planners that already include RFPs, A/V issues, speakers dropping off at the last minute, and climate incidents, among others.
This will likely lead to additional paragraphs in contracts between groups and third-party planning companies. There must be clear measures in place around collecting and processing registration data, according to Tyra Warner, Ph.D., JD, CMP, dept. chair, Hospitality & Tourism, The Coastal College of Georgia. The recent lawsuits further highlight the enhanced risk to groups posed by cyberattacks.
In addition to compromising attendee data, cyberattacks can derail meetings in many other ways. The attack on MGM on September 10 impacted on-site customer services, digital room keys, and the MGM website. Room bookings were only available through third parties.
The new SEC ruling requires all publicly traded companies to disclose cybersecurity incidents. This regulation may give planners crucial information to better vet companies for their history of cybersecurity issues.
To Pay or Not Pay Ransom
MGM informed the SEC of the cyberattack in a Form 8-K filed with the SEC on September 12. It has not disclosed paying a ransom. Caesars filed a Form 8-K on September 7, and admitted to paying a total of $15 million to hackers. It issued the following statement: “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”