Lina Khan Got Stuck in the Fallout of the MGM Hack at Las Vegas

Among the hotel patrons snarled in the fallout of MGM Resorts' cyberattack was -- unfortunately for the company -- one very high-profile figure: Lina Khan, the chair of the US Federal Trade Commission. Bloomberg News: On Tuesday night, she was among the 45 people waiting to check in at the MGM Grand along the Las Vegas strip as staff worked to manually fulfill everyone's reservation, according to people familiar with the matter. When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper.

As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn't know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal. Khan was among the thousands of MGM hotel patrons inconvenienced in the aftermath of the hack, which was said to be orchestrated by a group of hackers known as Scattered Spider. Days after the incident, many of the company's websites -- including its reservation system -- were still displaying error messages, some slot machines at its casinos across the country are still out of service and employees were handling processes manually.

Lina Khan and her staff

[backslashdot]

Just curious, what were they doing in Vegas?

Re:Lina Khan and her staff

[UMichEE]

Given that it says she was with staff, it was probably a conference. There's all kinds of conferences that happen in Vegas. My sister was just there for some sort of academic conference.

Re:

[UMichEE]

You don't give her enough credit. If you're interested in getting a good sound bite for social media or the news cycle, then the front desk clerk is definitely the person to talk to.

Re:Lina Khan and her staff

[JaredOfEuropa]

She was bright enough to ask; many other people would just give that information without thinking twice about it. And whom else would you ask? If the front desk guy doesn't know, he should at least know whom to refer you to.

Re:

[Local ID10T]

If the front desk guy doesn't know, he should at least know whom to refer you to.

Sure. His supervisor. Who wont know either.

They are busy dealing with a lot of people, as best they can, in a crisis situation. Your choices are: cooperate and hope they do a good job, or go elsewhere. It sucks. It is a PCI violation -but that is somebody else's problem to deal with later..

Make a choice and live with the consequences. It's Vegas, baby!

Re:

[Alinabi]

It is a PCI violation -but that is somebody else's problem to deal with later.

And that someone is Lina Khan.

Re:

[Local ID10T]

It is a PCI violation -but that is somebody else's problem to deal with later.

And that someone is Lina Khan.

no.

PCI is not law. It is a voluntary compliance agreement between card issuers, processors, merchants, and insurers.

She could, as a card holder, complain to her credit card company that she feels her information was not properly handled.

As a government regulator, she could hold an inquiry after-the-fact as to whether or not industry standards are sufficient in such situations.

Re:

[the_B0fh]

you are not very bright are you? *looks at username* oh. Carry on.

Re:

[Anonymous Coward]

Given that security *starts* at the front desk and the person who's asking for your card, they absolutely should have a SOP on it and know what that is. If they don't, then right there a business has a problem.

Re:Lina Khan and her staff

[bugs2squash]

It seems reasonable to ask how the clerk has been instructed about keeping the paper secure. It's irksome that in a two-way trust situation it's always the institution that feels it deserves unlimited trust and it's fine not to trust the payer.

Re:

[ArchieBunker]

To try and cover up the recently disclosed alien mummies, duh.

Re:

[christoban]

Alien porn.

Re: Lina Khan and her staff

[SleepingEye]

Actually, the front desk clerk*IS* the person to ask. They're the ones responsible for handling all the information, even if the answer is: don't show it to anyone, and give the papers to Joe Supervisor

Re:

[the_B0fh]

If the person you are writing down your credit card info on a piece of paper and handing it off to, does not know how to keep your information secure, WTF are you doing handing it off to them?

Re:

[NoWayNoShapeNoForm]

Just curious, what were they doing in Vegas?

What Happens In Vegas ... Stays In Vegas.

Slot machines?

[XXongo]

"...some slot machines at its casinos across the country are still out of service and ..."

Wait, why are slot machines on the internet in the first place?

Re:Slot machines?

[JaredOfEuropa]

An intranet, I should hope. Many reasons: to centrally manage them, see which ones need maintenance, or filling/emptying, firmware updates, tamper warnings, and so on. Cheaper and more reliable than having someone walk the floors. Until you get hacked, of course.

TITO and players club (free play / player rating)

[Joe_Dragon]

TITO and players club (free play / player rating) needs them to be on the network.

Re:

[irving47]

data, baby, data. real time information on every single slot in every wing of every casino giving you live information on number of plays, number of wins/losses. They crave data every bit as much as Google.

Re:Slot machines?

[jacks smirking reven]

It's also how they manage payouts, Nevada law says the machines have to pay out a minimum of 75% of wagers put in so they coordinate this across all properties, not at individual machines.

Re:

[Petersko]

Performance monitoring and remote management.

wms slots had that achievements tech gamers life?

[Joe_Dragon]

wms slots had that achievements tech think it was called gamers life?

Re:

[jhecht]

Slot machines went electronic decades ago, like pinball. Originally all the data went into the casino's computers. Eventually the big casino companies put it all on the Internet, like everything else. It seemed like a good idea at the time.

Re:

[ArchieBunker]

Probably part of a larger pool of machines so they can advertise a bigger jackpot.

Lesson in resource allocation

[BishopBerkeley]

Another drawback of maximizing profits at the expense of the salaries and wages of your workforce is that you end up with workers who are unqualified or too overwhelmed to resist such social engineering.

Re:

[Anonymous Coward]

"everyone i don't like is a socialist/marxist/communist"

Re:

[christoban]

"everyone i don't like is a socialist/marxist/communist"

Lots of people these days, especially among the elites, self identify as socialist/marxist/communist, or at least believe in such principles. Not that it's usually a real issue, but some are true believers.

Re: Lesson in resource allocation

[drinkypoo]

Which kind of elites? Not the economic kind.

Re:

[christoban]

Says Richie Rich over here. ;)

Re:

[Virtucon]

OTOH you get the workers you pay for and train. If they feel valued and are paid well for their role they'll care but then again these types of attacks require
constant vigilance.

Time to bring back Letters of Marque??

[davidwr]

Or should I say "emails of Marque" :)

No, I'm not serious - there are good reasons the international community pretty much got rid of privateering in the 19th century [wikipedia.org].

But still, it's fun to think about Congress authorizing "cyber-privateers."

"The year was 2128, I wish I were in Berkeley now..." [stanrogers.net]

Re:

[HBI]

Privateering wasn't really gotten rid of; it was just regularized with the concept of the 'armed merchant cruiser'.

With the start of effective blockade, one side at least had little use for its merchant fleet other than that.

MGM table rules are better then caesars

[Joe_Dragon]

MGM table rules are better then Caesars

at MGM the the minimum bet goes up you are locked into the lower rate also on the face up pigow tables and others? playing 2 hands you just need to bet min on both and not X2 min like some other places.

MGM did something much worse than security failure

[subreality]

They inconvenienced someone in power.

if the janitor was asking for your info to get WC

[Joe_Dragon]

if the janitor was asking for your info to get bathroom then maybe they should know where they are keeping that info.

manual credit card take down used to be on carbon

[Joe_Dragon]

and did people ask how long they keep that info around the store / hotel / etc?

Re:

[bugs2squash]

Things should be better now

The front desk doens't set policy

[chas.williams]

Why are you asking them about company policy? Maybe you should use your position to ask someone who could answer the question. Why do we appoint these useful idiots^h^h^h^h^h^h^h^h^h people?

Re:

[radarskiy]

"Why are you asking them about company policy?"\

Because they are *implementing* the policy at the first point of contact. The front-desk clerk is intimately familiar with what the front-desk clerk was told to. Finding out what they were told to do and whether that was communicated in a way they could actually follow is the first step in finding out if there is an actual problem.

For example: the front-desk clerk asked for the credit card info to be written down on a piece of paper. That sounds bad. But was

Re:

[chas.williams]

Then the higher-ups will say that isn't the official policy, fire the front-line worker, and tell you what you want to hear. A tale as old as time.

High Profile Individual Mad After Learning Truth

[Mindragon]

So the High Profile Individual learned that ... just like everyone else in this system ... they're treated the same. And then they get mad. Hilarious.

Hackers don't discriminate...The systems that they kill are all vulnerable to their attacks unless and until we learn to treat data -- and each other -- better. But...no, this is not what will happen.

What will happen is FTC will probably slap MGM. MGM will rebrand...And everyone involved will get a check for $1.13 (only usable on MGM slot machines) with free c

more proof

[groobly]

More proof that Khan is an idiot, or at least a "karen." Why would she expect a check-in clerk to know what the corporation is doing internally? Idiot.

Re:

[Ikonoclasm]

Well, PCI compliance requires every employee with access to sensitive credit card information at a company adhering to PCI-compliant processes, so if the company's employees don't know the processes, there's a high probably of a PCI violation. PCI compliance failure can result in the loss of the privilege to process credit card payments, which would essentially result in overnight closure of the business. Companies that want to stay in business do not play around when it comes to PCI compliance.

How Should The PCI Be Handled In This Situation?

[Bigjeff5]

I was hoping someone would have some good ideas for how the company SHOULD be handling the sensitive information, but all I've seen are dumb arguments about who's dumb for asking the only people they have access to about what they're doing to keep said PCI secure.

My naive approach would be to keep a record of the individuals who have access to the information (clerks, supervisors, etc), like a chain of custody document, and store the information itself in a locked cabinet (as secure as possible, obviously y