It was a hack felt ‘round the country when MGM Resorts across the U.S. were crippled by a potential phishing attack. According to MGM, the cyberattack disrupted resorts across the country under their umbrella including Las Vegas, New York, and Ohio, affecting everything from casino slot machines and ATMs to hotels and restaurants. As MGM services begin returning online, guests are finding their highly sensitive personal data was ransacked.

While the FBI and others continue to investigate, perhaps most disturbing is what may be the cause of the assault – a phishing attack on an MGM employee over social media. The hacking group Black Cat is taking responsibility for the crime which they claim earned them $33 billion.

MGM customers, on the other hand, may be the biggest losers of all. A tragic amount of their PII was hijacked including full names, birthdates, postal and email addresses, phone numbers, driver’s license, and passport info.

How It Happened and What To Do

According to Black Cat, an MGM employee was located on LinkedIn and the socially engineered phishing attack began. The hacking group took all of ten minutes to make a phone call to the MGM Help Desk impersonating the employee. The call allowed Black Cat to hack MGM’s system, and it wasn’t long before the chips began to fall.

Every MGM customer should take immediate steps to mitigate the damages to their PII, if you haven’t already. It starts by changing all MGM passwords with strong and fortified replacements. Sign up for two-factor authentication (2FA) when offered as an additional layer of security during login. The same needs to be done with credit cards and payment platforms including Zelle, PayPal, and others if they are connected in any way to your MGM account or if you use the same password. And if you do use the same password across multiple accounts, it’s strongly advised that you stop. Each account should have its very own set of login credentials.

Once done, proactively check credit card statements and those from the big three credit agencies. Consider placing a freeze on your credit information until the dust begins to clear or for as long as you don’t need to give anyone access to your credit report. You can do this free of charge. You can also unfreeze it at no charge and even make an unfreeze temporary. Remember, stolen PII can be held indefinitely by cybercriminals and not necessarily abused shortly after the breach. Think of it as a personal five-alarm fire you’re solely responsible for putting out.

Finally, limit what information you provide on LinkedIn or any social media. The more you put out there, the more that can be used against you or your organization in phishing attacks like this one.

Phishing attacks continue to be the scourge of cybersecurity with a reported 500 million last year, and they continue as the easiest scams to fall victim to. FYI…MGM experienced a behemoth breach just one year ago affecting the PII of over 140 million guests. There’s surely more to come so buckle up!