MGM, Caesars Lawsuits Elevate Critical Need for “Reasonable” Voice Channel Cyber Defense

Post Cyberattack, Expect Class-Action Lawsuits

As we are learning from the ongoing fallout from the recent MGM Resorts and Caesars Entertainment socially engineered cyber hacks, there are plenty of reasons that now, more than ever, organizations need to change their outlook on what qualifies as adequate cybersecurity defense for all IT networks.

On top of the escalating costs of mitigation, brand damage and business loss, organizations experiencing a cyber incident that involves compromised customer data can now also look forward to the likelihood of costly and often protracted class-action lawsuits.

It took little time for five separate suits to be filed against MGM and Caesars collectively for failure to protect customer data following their breach disclosures. That number has since ballooned to nine and counting.

The fact is, the incidence of class-action suits related to data breaches has accelerated dramatically in the past year with a 154% increase in federal cases alone. For healthcare, cases filed during that same time period have nearly doubled.

3 Reasons why Class Action Lawsuits are Exploding After a Cyber Incident

1) The public in general is more sensitized to the potential damages of identity theft should their Personal Identifying Information (PII) end up in the hands of criminal agents.

High profile, voice-based cybersecurity incidences like those experienced by MGM, Twitter, Robinhood and Cisco, to name just a few, have broadly eroded consumer confidence in the ability of companies to protect and secure sensitive personal information. This, in turn, has stimulated a heightened demand for more robust consumer protections.

2) Following public pressure, regulators are making increasing demands for greater transparency and accountability from companies that experience cyber breaches.

The United States does not have one comprehensive law regulating the protection of personal information. Rather, there is an assortment of industry-specific regulations, such as the Gramm-Leach-Billey Act for financial institutions and the HIPAA Privacy Rule for healthcare, as well as state-specific policies.

The Securities and Exchange Commission (SEC) has now stepped in, at least for publicly held entities. As Wall Street’s primary regulator, the agency recently updated its cyber incident reporting rules requiring registrants to file, within four days of discovery, any “material” cybersecurity incident, including details of the incident’s nature, scope, and timing, on the agency’s Form 8-K. All SEC Form 8-K reports are public and can be found on the SEC EDGAR (Electronic Data Gathering, Analysis, and Retrieval system) website.

Healthcare organizations, on the other hand, must report any breach that affects the health data of more than 500 people via the U.S. Department of Health and Human Services Office for Civil Rights (OCR) website. These reports are public and easily accessible for anyone to view. Note that the health industry, with its valuable trove of sensitive data, is one of the most commonly targeted by cybercriminals.

3) Increased transparency and reporting on public websites is fueling increased filings of class action suits.

It’s no secret that law firms specializing in class action litigation proactively seek out plaintiffs for promising cases. It’s about money.

And there is lots of that to be had, particularly when sensitive customer data has been compromised. For instance, Capital One reached a $190 million settlement stemming from a 2019 data breach that exposed the PII of 16,500 individuals. T-Mobile agreed to a $350 million settlement with an additional $150 million commitment to security improvements on behalf of 76.6 million residents whose information was leaked in 2021; Uber paid $148 million to settle civil litigation tied to a 2016 data breach and the following coverup attempt, while Equifax  has agreed to pay $575 million, and possibly up to $700 million, as  consumers continue to make claims related to a 2017 breach that exposed the personal information of 147 million people.

Typically, between 25% to 35% of such settlements go to cover legal fees.

It’s no wonder class action litigators are becoming more aggressive in their prospecting. With the expansion of public disclosure requirements set by regulatory agencies, that job just got easier.

Cybersecurity Programs Must Take “Reasonable” Measures

As the law stands, when a person agrees to provide PII to an organization as part of their service agreement, they are, in effect, entering into a contract with the implied promise that their data will be protected. 

When the organization fails to hold up that promise, it can be considered in breach of contract and thus liable for damages. 

Regardless of how the actual hack is carried out, the language contained in ensuing class action suits consistently points to negligence based on failure to take “reasonable” measures to protect customer data, a term liberally used by the Federal Trade Commission when prosecuting companies for mishandling protected data.

Can you define “Reasonable”?  Soon, the courts will.

This ambiguity has, in effect, left the door open for legal interpretation that will likely be settled only through court action, as the language contained in each successful case becomes a template for future litigators.

It is no coincidence that in the recent MGM class action suit filing, the term “reasonable” appears 35 times, e.g., “Defendant had a duty to employ reasonable security measures” or “Defendant had a duty to adopt reasonable measures to protect the PII of Plaintiff.”

Breach-Related Class Actions Lawsuits are Surging.

It’s also clear that the number of data breach-related class action suits and subsequent settlements will continue to increase exponentially over the coming years as predicted in this Morrison Foerster analysis – a trend fueled, in large part, by a proportionate surge in attacks. 

According to the World Economic Forum’s Global Cybersecurity Outlook 2023 report, 43% of business leaders now think it is “likely” that a cyberattack will severely affect their business within the next two years. That’s a sobering statistic for sure, and one that points to the fact that organizations absolutely must start now to better prepare themselves, not only for the possibility of such an attack, but also the potential costly litigation that could follow.  

The SEC Directs Organizations to Audit Themselves, Proactively

Step one, which is now included in the new SEC rules requirements, is the conduct of a broad, introspective, and fully documented audit revealing what measures are being implemented to control access to, and protection of, customer data throughout the organization’s network structures.

This cybersecurity audit should include an aggressive probe for vulnerabilities in hardware, software, policies and processes that could enable or exacerbate damages inflicted by a successful breach.

Most Cybersecurity Audits Will Show that the Voice Channel is Not “Reasonably” Protected

As evidenced by MGM, Caesars, and a growing legion of other recent victims of voice-based social engineering attacks, the audit should put increased focus on the voice channel. 

Voice (voice network, unified collaboration, telephony) has traditionally been overlooked as a source of cyber intrusion.  Board members, the C-Suite, Cybersecurity professionals, and internal Legal teams are now feeling great pressure to diminish the voice channel as a critical threat vector and adapt their security and risk management practices to include this escalating threat vector for a potential breach.

Note that, while large organizations may be particularly attractive targets for headline-grabbing cyber intrusion, smaller companies are no less at risk. According to  a 2022 analysis in Forbes, 43% of cyberattacks target small businesses, more than half of targeted businesses experience a data breach; and the average cost for remediation reaches $200,000 — enough to drive about 10% of them out of business.

In other words, cyber hacking is an equal opportunity endeavor, and cybercriminals know that organizations of all sizes are not securing their voice channels.  Via a simple phone call, vishers and bad actors employing social engineering tactics have direct access to the weakest link in every cyber defense program –  the inadvertently complicit human recipient at the other end of the line.

Voice Defense as the Tripwire for Impending Cyberattack

In most cases, vishing (voice phishing) attacks are the culmination of precursor “reconnaissance” activity that includes network probing for points of weakness. 

The lawsuit filed against MGM, for instance, includes revelations that the organization should have been fully aware of its vulnerability to a vishing attack because its IT vendor, Okta, had warned of “a consistent pattern of social engineering attacks in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication factors enrolled by highly privileged users.” Indeed, this is how the MGM hack essentially went down. 

Such activity can, and should, be identified as early as possible in the call path before those calls are given the chance to impact network operations or reach their targeted endpoint.

To leave the voice channel unprotected is no longer an option for organizations that can either produce evidence that all “reasonable measures” have been implemented to protect user data against cyber hackers or face the multiple consequences should that data be breached.

Voice Channel Protection is Readily Available

Fortunately, there are voice channel protection solutions that can be implemented now as part of a complete cybersecurity defense strategy. 

Among the most comprehensive (and most versatile) is Mutare’s Voice Traffic Filter (VTF), which eliminates nuisance and nefarious inbound calls at the network edge.

Implemented on premise, in the cloud, or in a hybrid environment, VTF removes nuisance robocalls and spammers before those calls ring through, while continuously monitoring voice traffic activity, applying sophisticated call data analytics technologies in real time to detect anomalous call behaviors consistent with nefarious intrusions. 

VTF will block or redirect suspicious calls away from their intended targets while alerting administrators to the suspect activity so additional defensive measures can be mobilized.

What’s more, call data collected through the VTF (telemetry) can be extracted and integrated with any organization’s existing Security Information and Events Management (SIEM), or Extended Detection and Response (XDR) system enabling broader and more layered insights for complete cross-channel detection and response of emerging threats for the full attack surface.  VTF Telemetry also improves an organization’s ability to understand how successful breaches occurred as security teams work to identify unseen patterns and activities post breach via SIEM / XDR.

Conclusion

Clearly the voice channel is just one of many potential points of entry currently being targeted by cyber criminals in their unending quest for money and data. Even so, it is likely the least protected. 

Is it “reasonable” that organizations have a proven solution in place that could detect suspicious voice traffic activity before perpetrators are able to reach vulnerable human endpoints to work their deceptions?

If MGM’s experience, numerous other high profile vishing victims before them, and the pattern of recent class action case settlements favoring the affected consumers is any indication, the only reasonable answer is “yes.”