cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion

17-Year-Old Arrested for Last Year's Ransomware Attack on MGM Resorts

UK police also seize 'a number of digital devices' and say the arrest is part of an ongoing operation to hunt down a cybercriminal group targeting major companies.

 

https://www.pcmag.com/news/17-year-old-arrested-for-last-years-ransomware-attack-on-mgm-resorts

 

5 Replies
Kyaw_Myo_Oo
Contributor III

Thanks for sharing @dcontesti.

 

 

Kyaw Myo Oo
Information Security Program Manager , CB BANK PCL
CCIE #58769 | PCNSE | SAA-C03 | CCSM | CISSP | PMP
ElectricLynn
Newcomer III

It is easy to see that it is important to apprehend and prosecute criminal activity when it occurs simply to maintain respect and avoid the degradation of enforcing the law, regulations and standards. Changes in deterrence can be seen by looking at a simple traffic signal placed on a busy street corner that is either enforced or not enforced by radar or patrol.  If the signal is not enforced, the tendency for society will be to ignore the traffic signal over time creating more incidents of accidents.  

 

The MGM simply did not even have a traffic signal.  Literally the front door to accessing their network of unknowing consumers was WIDE OPEN without complex passwords under scheduled automated expiration, personal reset questions to validate caller identification and two factor authentication that has been pushed for multiple decades.  It was the MGM that was WITHOUT any ability to validate caller ID in a simple password reset that tipped off this breach.  Therefore, I feel MGM holds the most accountability than the 17 year old from the beginning for this breach as well as the Las Vegas Sands for their SECOND BREACH on the opening day of their $2.3 billion Sphere which occurred just days prior to the MGM breach.  After all, how can I expect any level of security if I leave the front door to my house WIDE open for anyone to walk in for milk and cookies.

 

I was involved in an Iranian breach that was based on the constant tug of war between humans and their inability to follow proper password maintenance.  At the time we were looking into an application that took away password maintenance from users because there was ZERO trust that access could be managed correctly by our internal teams of users and IT; boy were we right!  It was an IT administrator that placed all their passwords online in a nice UNENCRYPTED TEXT FILE so they could be accessed remotely from any location that lead to our demise.

 

Back then we had personal questions to validate identification just to unlock accounts and required a personal appearance with photo ID to reset.  This is why I was surprised to find this was not so with MGM. That's a lot of wasted time not focused on their GAPs in security. This particular breach was a HUGE unacceptable GAP!

 

https://inszoneinsurance.com/blog/cyberattack-mgm-resort-explained

v/r EL
ElectricLynn
Newcomer III

Sorry for being irritated. Spent a lot of time cleaning up audit remediations of prior staff just so that it can be sent right back down to ground zero.
v/r EL
denbesten
Community Champion


@ElectricLynn wrote:

I feel MGM holds the most accountability than the 17 year old ... After all, how can I expect any level of security if I leave the front door to my house WIDE open for anyone to walk in for milk and cookies


The 17-year old is the one who should be in the defendant's chair, not MGM.  Per the article you linked, the 17 year old pretended to be somebody he was not to get a "key" to which he was not entitled, stole materials that clearly would not be offered to him and then held them hostage asking for a ransom.  All of this is far beyond what anyone would consider innocent behavior.

 

In cases where intent is unclear, MGM may have a duty to post notice (e.g. an "employees only" sign), but that obligation does not extend to activities that are "always" illegal.

 

Your example is exactly why I love small town life. Around me, doors don't need locks. A simple latch will do.  Even in big-city life, though, it is reasonable for a guest to help themselves to cookies on the counter.  It is not reasonable for them to help themselves to the TV on the counter.  The 17-year old did the latter.

ElectricLynn
Newcomer III

Agreed to disagree.  The only victims are the customers. From an ethical standpoint, it is important to hold individuals accountable for their actions, but this should not preclude a broader examination of systemic issues that allowed the breach to occur. Assigning responsibility solely to the teenager might overlook the need for organizations to adapt and strengthen their security practices to prevent future incidents. <revised the point 8/17/24>

 

v/r EL