GRU’s Grand Day Out and MGM’s Bad Privacy Luck

GRU’s Grand Day Out and MGM’s Bad Privacy Luck

In the last twenty-four hours, we’ve had two powerful reminders of the growing need for cybersecurity and digital privacy solutions. The first was the announcement from gaming and hospitality giant MGM Resorts International (MGM) that it had been the victim of a data breach in 2019. The second was a statement from the US State Department blaming the Russian military intelligence agency known as the GRU for the cyberattacks that hit Georgia last October and disrupted “several thousand Georgian government and privately-run websites and interrupted the broadcast of at least two major television stations.” 

As the digital world becomes increasingly pervasive so too does the need for cybersecurity and data protection solutions. The passage of General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act are both driving spending on security measures as companies race towards compliance with these new personal data privacy regulations.

In the case of the MGM breach, the personal details of more than 10.6 million guests of the resort chain were published on a hacking forum, including information from driver’s licenses, passports, and military ID cards. While the company doesn’t have any current operations in California, it does have operations in Maryland, Massachusetts and New York. All three of those states introduced new privacy laws in 2019, which are pending in Maryland and Massachusetts but active in New York as of January 2020. 

Those new laws and a growing number of similar legislative acts emerging in other states are intended to increase the cost to companies of data breaches compared. As we noted in “A Whitepaper on Cybersecurity and Privacy”, fines associated with privacy law violations can be $100-$750 per user, which could be financially devastating. If a company doing business in California experienced an attack similar in size and scope to MGM’s, it would be staring down a potential fine between $1-$8 billion. For some perspective, the MGM breach paled in comparison to the 2018 breach at Marriot International (MAR) that exposed data of up to 500 million guests. 

Luckily for MGM, this data breach occurred in 2019 before new privacy laws were enacted this year. Even so, in response to the attack, MGM retained two cybersecurity forensics firms to conduct an internal investigation into the server exposure and has “strengthened and enhanced the security of our network to prevent this from happening again.”[1] That means spending on cybersecurity and data privacy solutions. Given the evolving nature of attacks, this will not be a one-time investment. MGM, and all companies facing such risks, will need to be perpetually vigilant in safeguarding their networks especially customer data. 

Threat intelligence firm KELA identified the culprit behind the MGM attack as a member of the GnosticPlayers[2], a hacking group responsible for the hacks of more than 45 companies and the leaking of over one billion user records throughout 2019. The new privacy laws in the US and the European Union expand the potential damage such hacking groups can inflict on companies, increasing the need for cyber protection lest they leave themselves vulnerable to attacks and privacy-related fines. The new privacy regulations increase the potential financial harm to a company from hacking, creating yet another powerful incentive for preventative security spending. 

While the attack on MGM was a clear example of the need for better corporate cybersecurity and data privacy, the cyberattack on Georgia, is one of cyber warfare. The Georgia attack knocked out thousands of government, private sector, and media websites, and interrupted broadcasts of at least two major television stations.

The UK’s National Cyber Security Centre (NCSC), concluded, “with the highest level of probability, “the attacks, aimed at web-hosting providers, were carried out by the GRU (a Russian military spy agency) in a bid to destabilize the country. The GRU is also believed to be behind NotPetya, a June 2017 cyberattack that invaded global corporate networks crashing many systems worldwide, disrupting business for companies including “Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, Mondelez, and Reckitt Benckiser. “[3]

In terms of the size of the NotPetya attack, “According to confirmation received by WIRED from former Homeland Security adviser Tom Bossert, the result of this attack was more than $10 billion total loss in damages.”[4] That compares to losses of $4-$8 billion associated with the WannaCry virus in May 2017.

While the attack on Georgia is gaining renewed exposure, the reality is it is just the latest in a growing number of cyber warfare attacks; a list of such attacks is being compiled by the Center for Strategic & International Studies. 

The bottom line is in a world of increasing connectivity that brings ever greater accessibility, companies, governments, and institutions are facing a cyber arms race that will generate continual and growing demand for evolving cyber defense solutions. If a company opts not to secure itself, it risks devastating fines. We suspect the more prudent companies will instead engage with cybersecurity and data privacy companies that comprise the Foxberry Tematica Research Cybersecurity & Data Privacy Index.


[1] ZDNet, “Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum”, 2020. Available at https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

[2] ZDNet, “Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum”, 2020. Available at https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

[3] NS Tech, “Russia’s GRU launched cyberattacks aimed at destabilising Georgia, says NCSC”, 2020. Available at https://tech.newstatesman.com/security/russia-gru-cyber-attacks-georgia-ncsc

[4] Business Standard, “NotPetya: How a Russian malware created the world’s worst cyberattack ever”, 2018. Available at https://www.business-standard.com/article/technology/notpetya-how-a-russian-malware-created-the-world-s-worst-cyberattack-ever-118082700261_1.html

With 2017 Poised to be the Year of Ransomware, More Cyber Spending is on the Way

With 2017 Poised to be the Year of Ransomware, More Cyber Spending is on the Way

With headlines swirling following the WannaCry attack that hit more than 230,000 computers across more than 150 countries in just 48 hours, on this episode of Cocktail investing we spoke with Yong-Gon Chon, CEO of cyber security company Focal Point to get his insights on that attack, and why ransomware will be the cyber threat in 2017. Before we get into that Safety & Security conversation, Tematica’s investing mixologists, Chris Versace and Lenore Hawkins broke down last week’s economic and market data as well as the latest relevant political events. With all the controversy in D.C., there was a lot to discuss concerning the likelihood that the Trump Bump, which was based on assumptions around tax reform, regulatory roll-back, and infrastructure spending is evolving into the Trump Slump as investors realize the anticipated timeline for such was decidedly too aggressive. With mid-term elections looming, we expect the Trump opposition will be emboldened by the controversy surrounding the administration and will put in best efforts to appeal to their constituents. For the market, it’s another reason to see the Trump agenda likely slipping into late 2017-early 2018, and that realization is likely to weigh on robust GDP and earnings expectations for the balance of 2017.

The markets on May 17th suffered their biggest losses in 2017, with the Nasdaq taking the biggest one-day hit since Brexit, as the turmoil in Washington dampens investors’ appetite for risk while raising questions over GDP and earnings growth. While some Fed banks are calling for 2Q 2017 GDP as high as 4.1 percent (quite a jump from 1Q 2017’s 0.7 percent!), the data we’re seeing suggests something far slower. We continue to think there is more downside risk to be had in GDP expectations for the balance of 2017, and the latest Trump snafu is only likely to push out team Trump’s reforms and other stimulative efforts into 2018. If 2Q growth is driven in large part by inventory build, which is what the data is telling us, expect the second half to be significantly weaker than the mainstream financial media would lead you to believe.

While the global financial impact of the WannaCry ransomware attack may have been lower than some other high profile attacks such as ILOVEYOU and MyDoom, the speed at which it moved was profound. We spoke with Yong-Gon Chon, CEO of Focal Point Data Risk about the incident to get some of the perspective and insight the company shares with its c-suite and Board level customers. While many are focusing on WannaCry, Yong-Gon shares that as evidenced by recent content hijackings of Disney (DIS) and Netflix (NFLX), ransomware is poised to be the cyber threat of 2017. Those most likely to be targeted are those organizations that prioritize uptime and whose businesses tend to operate around the clock, making backups and software updates extremely challenging.

While in the past IP addresses may have been scanned once every four to five hours, in today’s increasingly Connected Society, IP addresses are scanned one to ten times every second. As consumers and businesses in the developed and emerging economies increasingly adopt the cloud and other aspects of Connected Society investing theme, we are seeing an explosion in the amount of data as more and more of our lives are evolving into data-generating activities. From wearables to appliances to autos, our homes, offices, clothing and accessories are becoming sources of data that goes into the cloud. With the Rise of the New Middle Class in emerging markets, we are seeing the number of households participating in this datafication grow dramatically, exposing new vulnerabilities along the way. That increasingly global pain point is fodder particularly for cyber security companies, such as Fortinet (FTNT), Splunk (SPLK) and Cisco Systems (CSCO) that are a part of our Safety & Security investing theme.

During our conversation with Yong Gon we learned that companies need to understand that breaches must be viewed as inevitable in today’s Connected Society, network boundaries are essentially a thing of the past. Security can no longer about preventing nefarious actors from gaining entrance, but rather is now about managing what happens once a company’s network has been invaded. From a sector perspective, with all the regulation and reporting requirements in financial services, many of these firms are leading the way in how to best deal with such breached.Uber

For investors who want to understand the potential impact of cybercrime, Yong-Gon Chon suggests looking at how much data a company is generating and how the company is managing the growth of that data, with companies such as Facebook (NASDAQ:FB), Alphabet (NASDAQ:GOOGL) and Uber examples of heavy generators. Investors need to look at a company’s cyber risk as a function of the magnitude of its data generation and the company’s level of maturity in addressing that risk. By comparison, companies not affected by attacks such as WannaCry need to be asking themselves why didn’t they get hit? Was it luck or did we do something right? If so, what did we do right and what is the scope of protection we have given what we’ve learned about the latest attack strategies?

We also learned about the new efforts underway globally to develop attribution of cyber threats so as to differentiate between those threats from professional cyber criminals versus the capricious tech savant engaging in ill-advised boundary exploration. Along with this shift is also a change in the boardroom, where cybersecurity is viewed in the context of its potential impact on the business, rather than as a function of a company’s IT department.

One thing we can be assured of is that hackers are watching each other and the good ones are learning what makes attacks fail and where organizations are weakest. As the Connected Society permeates more and more of our lives, these risks become more pernicious and their prevention more relevant to our everyday lives. The bottom line is we are likely to see greater cyber security spending in preventative measures as well cyber consulting as those responsibilities become a growing focus of both the c-suite and board room.

Companies mentioned on the Podcast

  • Amazon.com (AMZN)
  • Apple (AAPL)
  • CVS Health (CVS)
  • Disney (DIS)
  • Facebook (FB)
  • Focal Point
  • JC Penny Co (JCP)
  • Kohl’s (KSS)
  • Macy’s (M)
  • Microsoft (MSFT)
  • Netflix (NFLX)
  • Nordstrom (JWN)
  • TJX Companies (TJX)
  • Twitter (TWTR)
  • Uber
  • United Parcel Service (UPS)
  • Walgreens Boots Alliance (WBA)

Resources for this podcast: