It was past midnight when Alessandra Millican and a friend entered the Bellagio hotel room that was costing them hundreds of dollars a night, but unexpected noises made them stop cold.
“We started hearing grunts,” she said. “It’s somebody waking up — we were halfway through the room and we realized there’s somebody sleeping in here.”
Millican had arrived in Las Vegas on Sunday, Sept. 10, just as an online attack was being discovered by MGM Resorts International
the parent company of the Bellagio. By Monday, she said there were hourslong lines to check in and restaurants were only accepting cash, even though the casino-hotel’s ATMs were not working.
Unfortunately for Millican and her friend, the hot water was not reliable in their first room, which forced them to brave the front desk late Tuesday night into Wednesday morning. Millican said the process was long and manual, with one employee accessing a single spreadsheet for each check-in, which typically took about a half hour for each guest even after they made it to the front of the line.
That seemed like a minor annoyance once they arrived at their new room to find a sleeping guest. And Millican said she learned it was not an isolated incident.
“When I went around the hotel and talked with people, almost all of them have the exact same experiences,” she said. “This guest I talked to said his friend was walked in on, and his other female friend had her door opened while she was in the shower.”
This is not the typical effects of a cyberattack that consumers have been conditioned to accept. Many consumers are now accustomed to receiving notification of a data breach, with an email listing their personal information that may have been accessed and offering free identity-protection services.
Recent cyberattacks are not only impacting hotel stays, but also basic consumer products like kitty litter and cleaning wipes. Facing real-world effects is relatively new, and experts believe the in-person intrusions and disappointment could lead to increasing backlash from consumers.
Millican has now weathered both types of experiences. She was also wrapped up in the 2017 Equifax Inc. EFX
data breach, which she at first considered more scary than what she experienced at the Bellagio “because of the hilarity of fiasco after fiasco and the way that MGM handled the situation.”
In One Chart: The full toll of the massive Equifax data breach
A charge on her credit card, however, changed that outlook. As Millican slept in Las Vegas on Thursday morning, someone charged $14.11 on the same credit card she used at the Bellagio at a bar in New York, even though that bar wasn’t open when the charge was made before noon on the East Coast.
“Obviously now I think it’s going to continue to unfold, and when I got that false charge on my card, that’s when alarm bells start going off like, ‘OK, this is real. This is a situation that I need to be on alert about,’” she said.
How a cyberattack led to cats peeing on their owner’s floor
As Millican was dealing with real-world effects from the MGM attack last week, Renee Lytle was a couple hundred miles away in Southern California at a PetSmart location, trying to buy Fresh Step kitty litter for her two cats, Pip and Cali. When she couldn’t find the product, she instead grabbed a competing brand, and her pets registered their disdain for the switch in a way that won’t be surprising to cat owners.
“They’re just like, ‘OK mom, this is what’s going down — We’re pooping and peeing around the box until you get us our litter,’” she said.
Clorox Co. CLX
which owns the Fresh Step brand, has also recently been dealing with a cyberattack. Clorox’s products have started disappearing from shelves more than a month after the company first reported an online intrusion on Aug. 14, as the company has had to revert to manual processes as systems are offline, undermining production and distribution of various products. The company has admitted those issues in regular updates tracking the recovery progress, and a spokeswoman referred MarketWatch to those updates when asked for comment, but experts say that the issues will continue even after the situation is resolved.
“When you look at these particular attacks, they’re disrupting trust,” said Lida Citroën, a reputation-management expert and author. “We trust our products until we can’t get them when we go to the store and the shelves are empty. It’s all about trust, and consumers want trust. A reputation crisis is when trust is broken.”
The visceral nature of facing in-real-life effects from a digital attack can lead customers to break up with a brand for good, said Eric Yaverbaum, author of seven books on public relations and crisis management.
“Now it’s touching me for real, it’s not just some story in the news. I can’t get my Clorox and what’s over to the left of them is a competing product,” Yaverbaum, chairman of public-relations firm Ericho communications, told MarketWatch. “Inevitably, not everybody goes back to Clorox when they get their distribution back. That’s real, that’s not a story, not something that happened to a neighbor — it happens to us. And when it touches us, you know, different buying decisions are made.”
These issues could also lead to higher prices. A ransomware attack on the Colonial Pipeline Co. in 2021 increased gas prices in much of the U.S., and a successful attack on meatpacking company JBS SA
temporarily increased meat prices the same year. Companies could also seek to recoup lost revenue after the shortage passes.
“The costs are passed along to the consumers, and the costs are also impacting shareholders,” Pete Nicoletti, global chief information security officer at Check Point Software
Lytle said she would go to several stores to attempt to find the Fresh Step litter her cats demand, but said that if the price ever hit $30 for a 30-pound bag — she currently pays $23 to $24 — she would have to find a new brand.
“There’s no way I’m paying $30 for a bag of litter,” she said.
‘You cannot pay criminals. You can’t let them win’
Clorox executives have not disclosed the exact type of attack they suffered, but the MGM attack is a case of ransomware, according to Okta Inc.
Chief Security Officer David Bradbury. He confirmed to MarketWatch that a member of a suspected ransomware group had managed to convince a help-desk worker at MGM that they were a specific employee of the company to gain entry.
Ransomware is typically involved when corporations face cyberattacks that result in serious disruptions of their operations. Ransomware gangs typically breach a network to lock users out and can steal important data until they receive a large ransom.
Bradbury said MGM was one of five Okta customers that had fallen prey to a similar approach this summer. One of the others was Caesars Entertainment Inc.
a competing hotel-casino company, Bradbury confirmed. Neither MGM nor Caesars returned requests for comment, though both have disclosed recent breaches to the Securities and Exchange Commission.
While MGM properties were flailing when Millican was in Las Vegas before announcing that operations were back to normal this week, Caesars properties were reportedly functioning normally. That could be because Caesars management decided to pay the requested ransom, as Bloomberg News reported.
Cybersecurity experts adamantly suggest that companies not pay the ransom.
“You cannot pay criminals. You can’t let them win,” Check Point’s Nicoletti said, adding that there’s no guarantee a payment will lead to ransomware gangs immediately handing over the keys to a computer system, nor to deleting any data they’ve already obtained.
Ransomware is already “the most significant threat to businesses,” according to Check Point’s midyear report, which counted more than 2,200 victims in the first half of 2023. Ransomware gangs are proliferating and increasing their attacks at ever higher rates, the cybersecurity company found.
“The fact that we’re paying these folks billions of dollars means we’re making them better,” he added.
Consumers may see it differently, however. Millican — who had heard around Las Vegas that Caesars had also been hacked and reportedly paid a ransom to maintain business during a busy week with several conferences in town — said she would likely not stay at the Bellagio or any other MGM property again “because of the price we paid and the experience we received.”
“In the future, I’d probably be more likely to book at Caesars,” she told MarketWatch. “They paid the ransom, they got that resolved quickly, but in my mind as a consumer, they took the right step so that my trip won’t be impacted. Because 99% of the time that I’m going to Vegas, I’m going there to have fun.”
While Nicoletti hopes executives don’t take the wrong lesson from this experience and start paying ransoms, he does believe that real-world problems from a cyberattack should be a “wake-up call” for consumers, who should “really look at the people they have relationships with, and look to see what their security posture is.”
Yaverbaum agrees, saying “for mainstream America — us pedestrians who just buy stuff, all of us — the only way that we’re going to get educated and be aware is the hard way.”
“This is going to touch every single company, every single consumer in this country over the course of the next decade, bar none,” he said. “It’s not a crazy prediction to make. We’re not ready for what’s coming. “