The numbers are in, and it’s not looking good: last month’s successful cyberattack on MGM Resorts in Las Vegas cost the company an estimated $100 million. Even though the resort quickly shut down their systems when they detected unauthorized third-party activity, the hackers were able to successfully obtain phone numbers, email addresses, drivers’ license numbers, social security numbers, passport numbers, and other forms of personal information for a number of the company’s customers.
While few merchants are the same caliber target as MGM’s multi-billion-dollar organization, smaller business are far from immune to similar threats. In fact, because many hackers know that smaller companies do not have the same large cybersecurity budgets – or large information security teams – smaller organizations are often perceived as “low-hanging fruit.” And because malicious actors are after the maximum impact with the least possible effort, this can lead to a dangerous predicament.
So: what can the Las Vegas casino breach remind us about credit card data security?
- Attacks don’t have to be particularly sophisticated to be successful. In the case of the MGM breach, it appears that the hackers found an employee’s information on LinkedIn. From there, they called the MGM help desk and impersonated the employee; obtained their credentials; then accessed and casino’s systems and infected them with ransomware. This was not an elaborate technical scheme, but rather a basic breakdown of security protocols in the face of social engineering.
- Storing sensitive data on your system is never a good idea. Even with strong security controls in place, breaches are always a possibility. However, if a malicious actor does successfully access a particular environment, they can only access the data that is physically present. Storing credit card numbers and security codes in an offsite vault – for instance, through remote tokenization – means that in the event of a worst-case scenario, your cardholder data would still not be exposed.
- The impact of a breach can be felt long after the immediate threat has been resolved. While MGM is forecasting a near-return to normal by the end of November (two months after the original incident), their security and legal teams will continue to deal with the repercussions for the foreseeable future. The company will be tasked with providing identity protection and credit monitoring services to the customers whose data was exposed, while also consulting with third-party security providers to shore up their defenses against a repeat incident. While manageable for an organization with 83,000+ employees, considerable brand recognition, and decades of hard-earned customer loyalty, the potential impact to a smaller organization stands to be even more substantial.
Of course, this isn’t meant to instill fear, but rather to remind companies to stay vigilant. Merchants must stay on top of their compliance requirements, including vulnerability scans and annual self-assessment questionnaires. If the burdens of security and compliance are too much to manage through their own efforts alone – which is more common than you might think – they can also offload some of the requirements to a third-party service provider.
With 20+ years of experience in the credit card industry, Curbstone has helped hundreds of merchants protect their data and make PCI compliance less time-consuming. Learn more in our Complete Guide to PCI Compliance for Merchants, or contact us today to learn more about secure, integrated payment processing.
