GRU’s Grand Day Out and MGM’s Bad Privacy Luck

GRU’s Grand Day Out and MGM’s Bad Privacy Luck

In the last twenty-four hours, we’ve had two powerful reminders of the growing need for cybersecurity and digital privacy solutions. The first was the announcement from gaming and hospitality giant MGM Resorts International (MGM) that it had been the victim of a data breach in 2019. The second was a statement from the US State Department blaming the Russian military intelligence agency known as the GRU for the cyberattacks that hit Georgia last October and disrupted “several thousand Georgian government and privately-run websites and interrupted the broadcast of at least two major television stations.” 

As the digital world becomes increasingly pervasive so too does the need for cybersecurity and data protection solutions. The passage of General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act are both driving spending on security measures as companies race towards compliance with these new personal data privacy regulations.

In the case of the MGM breach, the personal details of more than 10.6 million guests of the resort chain were published on a hacking forum, including information from driver’s licenses, passports, and military ID cards. While the company doesn’t have any current operations in California, it does have operations in Maryland, Massachusetts and New York. All three of those states introduced new privacy laws in 2019, which are pending in Maryland and Massachusetts but active in New York as of January 2020. 

Those new laws and a growing number of similar legislative acts emerging in other states are intended to increase the cost to companies of data breaches compared. As we noted in “A Whitepaper on Cybersecurity and Privacy”, fines associated with privacy law violations can be $100-$750 per user, which could be financially devastating. If a company doing business in California experienced an attack similar in size and scope to MGM’s, it would be staring down a potential fine between $1-$8 billion. For some perspective, the MGM breach paled in comparison to the 2018 breach at Marriot International (MAR) that exposed data of up to 500 million guests. 

Luckily for MGM, this data breach occurred in 2019 before new privacy laws were enacted this year. Even so, in response to the attack, MGM retained two cybersecurity forensics firms to conduct an internal investigation into the server exposure and has “strengthened and enhanced the security of our network to prevent this from happening again.”[1] That means spending on cybersecurity and data privacy solutions. Given the evolving nature of attacks, this will not be a one-time investment. MGM, and all companies facing such risks, will need to be perpetually vigilant in safeguarding their networks especially customer data. 

Threat intelligence firm KELA identified the culprit behind the MGM attack as a member of the GnosticPlayers[2], a hacking group responsible for the hacks of more than 45 companies and the leaking of over one billion user records throughout 2019. The new privacy laws in the US and the European Union expand the potential damage such hacking groups can inflict on companies, increasing the need for cyber protection lest they leave themselves vulnerable to attacks and privacy-related fines. The new privacy regulations increase the potential financial harm to a company from hacking, creating yet another powerful incentive for preventative security spending. 

While the attack on MGM was a clear example of the need for better corporate cybersecurity and data privacy, the cyberattack on Georgia, is one of cyber warfare. The Georgia attack knocked out thousands of government, private sector, and media websites, and interrupted broadcasts of at least two major television stations.

The UK’s National Cyber Security Centre (NCSC), concluded, “with the highest level of probability, “the attacks, aimed at web-hosting providers, were carried out by the GRU (a Russian military spy agency) in a bid to destabilize the country. The GRU is also believed to be behind NotPetya, a June 2017 cyberattack that invaded global corporate networks crashing many systems worldwide, disrupting business for companies including “Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, Mondelez, and Reckitt Benckiser. “[3]

In terms of the size of the NotPetya attack, “According to confirmation received by WIRED from former Homeland Security adviser Tom Bossert, the result of this attack was more than $10 billion total loss in damages.”[4] That compares to losses of $4-$8 billion associated with the WannaCry virus in May 2017.

While the attack on Georgia is gaining renewed exposure, the reality is it is just the latest in a growing number of cyber warfare attacks; a list of such attacks is being compiled by the Center for Strategic & International Studies. 

The bottom line is in a world of increasing connectivity that brings ever greater accessibility, companies, governments, and institutions are facing a cyber arms race that will generate continual and growing demand for evolving cyber defense solutions. If a company opts not to secure itself, it risks devastating fines. We suspect the more prudent companies will instead engage with cybersecurity and data privacy companies that comprise the Foxberry Tematica Research Cybersecurity & Data Privacy Index.


[1] ZDNet, “Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum”, 2020. Available at https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

[2] ZDNet, “Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum”, 2020. Available at https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

[3] NS Tech, “Russia’s GRU launched cyberattacks aimed at destabilising Georgia, says NCSC”, 2020. Available at https://tech.newstatesman.com/security/russia-gru-cyber-attacks-georgia-ncsc

[4] Business Standard, “NotPetya: How a Russian malware created the world’s worst cyberattack ever”, 2018. Available at https://www.business-standard.com/article/technology/notpetya-how-a-russian-malware-created-the-world-s-worst-cyberattack-ever-118082700261_1.html