Advisory for APS School Students

Introduction

MGM Resorts, which is an international company, has suffered an ongoing cyberattack which led to the shutdown of a number of its computer systems, including its website, in response to a cybersecurity issue. MGM Resorts International is in touch with external cybersecurity experts to resolve the issue since it has affected its entire Computer systems. MGM is a larger entity and operates thousands of hotel rooms across Las Vegas and the United States. MGM Resorts shared about the incident and posted that MGM recently identified a cybersecurity issue affecting some of the Company's systems. Promptly after detecting the issue, they quickly began an investigation with assistance from leading external cybersecurity experts. MGM has notified law enforcement and took prompt action to protect systems and data, including putting down certain systems. MGM further stated that the investigation is ongoing. 

‍The issue 

Basic operations such as the online reservation and booking system MGM have been affected and shut down due to the cybersecurity issue faced by a lot of visitors. Since earlier times, casino security has been the state of the art as they were very vulnerable to attacks by robbers and con artists. This is what we have also seen in a lot of movies. In today's time, con artists and robbers are now strengthened by cyber tactics. This is exactly what was seen in the case of the MGM attack. 

MGM Resorts is home to best-in-class amenities and facilities for guests, but with the increase in tourist traction, the vulnerabilities and the scope of cyber attacks have also increased. This is also because of open wifis in the establishments and the transition of casinos to e-casinos, thus causing a major shift towards digital and technology-based intervention for better customer experience and streamlining a lot of operations. 

How real is the threat? 

As reported by MGM Resorts, the following systems were impacted in the cyber security attack: 

• Slots Machines: The slot machines placed in the casino suddenly went offline and displayed an error message for the players. Some players who were already using the slot machines lost their bets and were unable to withdraw their winnings. 
• Room Keys: Some of the guests reported that the room keys became unresponsive, and in some cases, the replacement keys were also inactive for some time, causing massive chaos at the reception.  
• Booking Status: All the bookings in today's time are made online; this was one of the worst-hit segments of the cyber attacks. Most of the bookings made automatically were put on hold, and the confirmations could be made only from the hotel reception, thus causing massive cancelling of the bookings and both the hotel and customers losing out on money.
• MGM App: The official app of MGM Resorts was completely down, thus causing a situation of confusion and panic among the guests. The users also received notifications to speak to different customer care executives, but some of the numbers were unattentive and seemed to be operated by bad actors. 
• Data breach: The main focus of the cyber attack was dedicated to committing a data breach. The attack led to the breach of personal data of most of the users registered on the app or on the system of MGM Resorts. 

‍

Conclusion 

The cyber attack on the tourism industry is a major and growing concern for the industry and its customers. Seeing the volatility of the data and the regular inflow of personal information this makes the hotel's cyber security system a vulnerable choice for bad actors. The cyber attack was no less than a fire sale, where in all the segments of the services offered were impacted. Similar attacks were reported by MGM in 2019 and 2020, and subsequently, the safety measures were also deployed, but the bad actors have hit the resorts chain owners again, in such cases the most paramount defence is having a safe and regularly updated firewall, upskilling of staff for IT issues and attacks, active reporting and investigation mechanisms for assisting the LEAs. In the times of rising cyberattacks, one needs to be critical of their data management and digital footprints. The sooner we adopt safe, secure and resilient cyber hygiene practices, the safer our future will be.  

‍

References:

https://www.bleepingcomputer.com/news/security/mgm-resorts-shuts-down-it-systems-after-cyberattack/

https://www.usatoday.com/story/tech/news/2023/09/11/mgm-cyber-attack-impact-resorts-hotels-us/70828503007/

https://www.cnbc.com/2023/09/12/mgm-resorts-cybersecurity-incident-forces-system-outage.html

‍

"Cybercriminals are unleashing a surprisingly high volume of new threats in this short period of time to take advantage of inadvertent security gaps as organizations are in a rush to ensure business continuity.”

Cyber security firm Fortinet on Monday announced that over the past several weeks, it has been monitoring a significant spike in COVID-19 related threats.

An unprecedented number of unprotected users and devices are now online with one or two people in every home connecting remotely to work through the internet. Simultaneously there are children at home engaged in remote learning and the entire family is engaged in multi-player games, chatting with friends as well as streaming music and video. The cybersec firm’s FortiGuard Labs is observing this perfect storm of opportunity being exploited by cybercriminals as the Threat Report on the Pandemic highlights:

A surge in Phishing Attacks: The research shows an average of about 600 new phishing campaigns every day. The content is designed to either prey on the fears and concerns of individuals or pretend to provide essential information on the current pandemic. The phishing attacks range from scams related to helping individuals deposit their stimulus for Covid-19 tests, to providing access to Chloroquine and other medicines or medical device, to providing helpdesk support for new teleworkers.

Phishing Scams Are Just the Start: While the attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through teleworkers. Majority of the phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.

A Sudden Spike in Viruses: The first quarter of 2020 has documented a 17% increase in viruses for January, a 52% increase for February and an alarming 131% increase for March compared to the same period in 2019. The significant rise in viruses is mainly attributed to malicious phishing attachments. Multiple sites that are illegally streaming movies that were still in theatres secretly infect malware to anyone who logs on. Free game, free movie, and the attacker is on your network.

Risks for IoT Devices magnify: As users are all connected to the home network, attackers have multiple avenues of attack that can be exploited targeting devices including computers, tablets, gaming and entertainment systems and even online IoT devices such as digital cameras, smart appliances – with the ultimate goal of finding a way back into a corporate network and its valuable digital resources.

Ransomware like attack to disrupt business: If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems for taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.

“Though organizations have completed the initial phase of transitioning their entire workforce to remote telework and employees are becoming increasingly comfortable with their new reality, CISOs continue to face new challenges presented by maintaining a secure teleworker business model. From redefining their security baseline, or supporting technology enablement for remote workers, to developing detailed policies for employees to have access to data, organizations must be nimble and adapt quickly to overcome these new problems that are arising”, said Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet – Office of CISO.

The European Union (EU) has made trailblazing efforts regarding protection and privacy, coming up with the most comprehensive and detailed regulation called the GDPR (General Data Protection Regulation). As countries worldwide continue to grapple with setting their laws, the EU is already taking on issues with tech giants and focusing on the road ahead. Its contentious issues with Meta and the launch of Meta’s AI assistant in the EU are thus seen as a complex process, shaped by stringent data privacy regulations, ongoing debates over copyright, and ethical AI practices.​ This development is considered important as previously, the EU and Meta have had issues (including fines and and also received a pushback concerning its services), which broadly include data privacy regarding compliance with GDPR, antitrust law concerns- targeting ads, facebook marketplace activities and content moderation with respect to the spread of misinformation. 

Privacy and Data Protection Concerns

A significant part of operating Large Language Models (LLMs) is the need to train them with a repository of data/ plausible answers from which they can source. If it doesn’t find relevant information or the request is out of its scope, programmed to answer, it shall continue to follow orders, but with a reduction in the accuracy of its response. Meta's initial plans to train its AI models using publicly available content from adult users in the EU received a setback from privacy regulators. The Irish Data Protection Commission (DPC), acting as Meta's lead privacy regulator in Europe, raised the issue and requested a delay in the rollout to assess its compliance with GDPR. It has also raised similar concerns with Grok, the AI tool of X, to assess whether the EU users’  data was lawfully processed for training it. 

In response, Meta stalled the release of this feature for around a year and agreed to exclude private messages and data from users under the age of 18 and implemented an opt-out mechanism for users who do not wish their public data to be used for AI training. This approach aligns with GDPR requirements, which mandate a clear legal basis for processing personal data, such as obtaining explicit consent or demonstrating legitimate interest, along with the option of removal of consent at a later stage, as the user wishes. The version/service available at the moment is a text-based assistant which is not capable of things like image generation, but can provide services and assistance which include brainstorming, planning, and answering queries from web-based information. However, Meta has assured its users of expansion and exploration regarding the AI features in the near future as it continues to cooperate with the regulators.

Regulatory Environment and Strategic Decisions

The EU's regulatory landscape, characterised by the GDPR and the forthcoming AI Act, presents challenges for tech companies like Meta. Citing the "unpredictable nature" of EU regulations, Meta has decided not to release its multimodal Llama AI model—capable of processing text, images, audio, and video—in the EU. This decision underscores the tension between innovation and regulatory compliance, as companies navigate the complexities of deploying advanced AI technologies within strict legal frameworks. 

Implications and Future Outlook

Meta's experience highlights the broader challenges faced by AI developers operating in jurisdictions with robust data protection laws. The most critical issue that remains for now is to strike a balance  between  leveraging user data for AI advancement while respecting individual privacy rights.. As the EU continues to refine its regulatory approach to AI, companies need to adapt their strategies to ensure compliance while fostering innovation.​ Stringent measures and regular assessment also keep in check the accountability of big tech companies as they make for profit as well as for the public.

Reference:

• https://thehackernews.com/2025/04/meta-resumes-eu-ai-training-using.html
• https://www.thehindu.com/sci-tech/technology/meta-to-train-ai-models-on-european-users-public-data/article69451271.ece
• https://about.fb.com/news/2025/04/making-ai-work-harder-for-europeans/ 
• https://www.theregister.com/2025/04/15/meta_resume_ai_training_eu_user_posts/ 
• https://noyb.eu/en/twitters-ai-plans-hit-9-more-gdpr-complaints 

• https://www.businesstoday.in/technology/news/story/meta-ai-finally-comes-to-europe-after-a-year-long-delay-but-with-some-limitations-468809-2025-03-21
• https://www.bloomberg.com/news/articles/2025-02-13/meta-opens-facebook-marketplace-to-rivals-in-eu-antitrust-clash
• https://www.nytimes.com/2023/05/22/business/meta-facebook-eu-privacy-fine.html#:~:text=Many%20civil%20society%20groups%20and,million%20for%20a%20data%20leak.
• https://ec.europa.eu/commission/presscorner/detail/en/ip_24_5801
• https://www.thehindu.com/sci-tech/technology/european-union-accuses-facebook-owner-meta-of-breaking-digital-rules-with-paid-ad-free-option/article68358039.ece
• https://www.theregister.com/2025/04/14/ireland_investigation_into_x/ 
• https://www.theverge.com/2024/7/18/24201041/meta-multimodal-llama-ai-model-launch-eu-regulations?utm_source=chatgpt.com
• https://www.axios.com/2024/07/17/meta-future-multimodal-ai-models-eu?utm_source=chatgpt.com 

‍