Back to Blog Home

Cybersecurity in 2023: The MOVEit data breach and regulatory responses

CBTS Cybersecurity experts break down the MGM and MoveIt data breaches and what it means for notifying the SEC.

This episode of Inside the CISO’s Office explores some of the most significant developments in cybersecurity in 2023 to date, including the MGM Resorts breach, the MOVEit data breach, and the resulting updates to compliance rules from regulators.

The 2023 cyber threat outlook

The threat landscape continues to see an increase in ransomware activity week after week, with people as the top target for bad actors. The largest breaches of the year—MGM Resorts—illustrate that sophisticated social engineering schemes do not need AI-generated phishing e-mails and voice technology to succeed. Instead, old-fashioned deception still works. The impressive and far-reaching extent of the MOVEit data breach highlights the impact of new SEC regulations regarding the reporting of material breaches. In the United States, public companies now have four business days to alert the SEC of these breaches.

Over 90% of cyberattacks start with a phishing e-mail—the year’s most popular method of attack. IBM found that the chances of a successful breach increased threefold when paired with “vishing” (voice phishing). When paired with generative AI and deepfake tools to create even more convincing phishing and vishing schemes. Ransomware attacks will only become more challenging to differentiate from trusted messengers in the future.

In this companion to the above Tech Talk, we’ll review these recent attacks and the fallout of the newly updated FTC and SEC regulatory changes. In addition, we will cover the basic steps your business can take to help prevent disastrous data breaches.

The MGM and MOVEit data breaches

In September of this year, MGM Resorts informed their customers of a “cybersecurity issue.” Over the next ten days, MGM was locked out of critical systems in their environment, including gaming machines, cash registers for restaurants, and guest room keys. Staff switched to handwritten receipts. On September 20, MGM said operations were mostly normal with “intermittent” issues. In October, MGM reported that sensitive data, including social security numbers, had been exposed. Estimates for MGM’s losses are reported to be over $100 million USD from this attack.

This destructive attack was caused by a social engineering scheme that started with a vishing phone call to reset a lost password. The hacker called tech support, posing as a high-level employee to gain access to admin-level permissions.

Ryan contextualized this example: “It’s still people. A lot of the breaches that we’re going to talk about today, that we talk about all the time, are still people-based breaches. It’s not necessarily a vulnerability in software. It’s not necessarily an improperly open port. It’s sending a link or making the right phone call to the right person, finding that way in, getting an identity reset, and taking over that identity and leveraging it.”

The MGM event comes after the even more wide spread  MOVEit data breach earlier this year. Full ramifications are still being uncovered, but over 1,000 companies have had data exposed due to a zero-day exploit in this widely used file-transfer service. Exposed organizations include governments, colleges, the BBC, New York Public Schools and many others. The breach compromised over 60 million end-users’ data. Countless lawsuits are currently pending.

Updated data breach notification rules

The increased frequency of high profile and large scale data breaches caused the SEC to change its data breach disclosure rules. After the rules take effect at the end of the year, publicly traded U.S. organizations will have to report material (significant) breaches to the SEC within four days. Additionally, the new rules update when and how organizations should inform consumers of a breach affecting their data.

The FTC also updated regulations this year by updating the safeguards financial organizations need to implement as part of the Gramm-Leach-Bliley Act. The revised rules affect non-bank financial firms like car dealerships, payday lenders, and more. For breaches exposing 500 or more customers, the organization must provide notices to the involved parties that include:

  • A sufficiently detailed description of the breach.
  • The categories of data exposed.
  • The timing and date of the breach.
  • The number of consumers exposed.

To learn more about these updated rules, visit the FTC’s Gramm-Leach-Bliley Act resources page.

Emerging threats

Deep fake technology and generative AI are boosting the believability of social engineering schemes. John said, “In the generative AI space, I think it will certainly and has already improved the readability of phishing e-mails. And the thing that people need to prepare for is there are tools out there, very, very cheap tools, that you can buy that will imitate my voice. So, people could sample my voice from this or other episodes, make a decent-sounding copy of my voice, and do it.”

Poor grammar is often an easy indicator of a phishing e-mail. This red flag may disappear as generative AI improves the grammar and credibility of phishing e-mails. Caller ID spoofing lets threat actors call from realistic caller ID locations such as an organization or government agency. Then using high-quality voice or video deep fakes, criminals can have even more credibility and sophistication in these schemes.

CISO defense strategies for emerging threat vectors

Chris emphasized a proactive defense, including:

  • Adopting a zero trust framework.
  • Enhancing network segmentation.
  • Implementing evolving cybersecurity training for all employees.
  • Remaining diligent.
  • Consulting a well-known security framework, such as NIST, CIS Controls, or CSF.

Ryan stressed a core idea in zero trust, “Always verify…If something seems fishy, hang up and call back a verified phone number to confirm.”

John recommended what he referred to as the “standard blocking and tackle” of cyber defense:

  • Encrypting sensitive data at all states – data at rest and in motion.
  • Deploying tested backups and disaster recovery systems.
  • Create a straightforward cyber incident response plan (IRP) that follows industry security standards.
  • Provide ongoing training for all staff and, include penetration testing, phishing, and vishing testing.

Every panel member recommends providing extra training and support to employees who fail simulated phishing tests. Ryan went on to say, “A lot of companies stop at just sending the phishing e-mail and saying, ‘Hey, you got phished.’ Instead, follow up with additional training for those individuals, whether video-based or computer-based assessments. It’s not a strike against them; it’s just helping them help themselves more than something else. Nobody wants to be the point of an intrusion; be that person who let that access happen. But having followed that up with additional training sources is key to that whole awareness process, not just doing the phishing connection.”

Read more: Top 5 cybersecurity actions to take right now

Cybersecurity solutions from OnX Canada

2023 brought new challenges and changes to the cybersecurity landscape, which may require updates to your company’s IT network. The cybersecurity experts at OnX provide future-proof advice to enhance your security posture and keep your business safe from expansive attacks like the MGM Resorts and MOVEit data breaches. Schedule a vulnerability assessment today.