Building owners face up to growing cyber threat

High rollers returning to their suites at the Bellagio on the Las Vegas Strip in late 2023 encountered a peculiar obstacle. Their keyless fobs did not work.

Rather than the consequences of losing a wager, they were in fact dealing with the fallout from a ransomware attack on the resort’s owner, MGM. The company had been attacked by a group known as Scattered Spider, which used fraudulent phone calls to employees and the company’s help desks to “phish” for login credentials.

The fallout from the hack not only locked customers out of their rooms, but also halted slot machines. Crucially, it exposed customer data and drew attention to the far-reaching consequences of IT vulnerabilities, including in physical spaces.

“Most facets of modern life are controlled in some way or another by a digital system,” says Jamie MacColl, a senior research fellow at Royal United Services Institute (Rusi), a defence think-tank. “For every victim there will [probably] be a physical effect . . . it could be as simple as being locked out of the office or as complex as a downed manufacturing line.”

MacColl says the MGM attack demonstrated some of the systemic flaws within the built environment.

MGM estimated that the attack knocked about $100mn off its earnings, according to a Securities and Exchange Commission filing. It also paid $10mn in advisory fees.

The UK-based Royal Institute of Chartered Surveyors, in a survey of building managers this year, found that more than a quarter of the spaces they managed had experienced some form of cyber attack in the previous 12 months. It said criminals were targeting building systems that rely on connected devices to run services including access, ventilation and other main functions.

Connected devices installed in buildings are viewed as a potential backdoor to wider networks holding sensitive state or commercial information.

Dan Hughes, author of a 2025 Rics report into digital risks in buildings, said there was a fundamental mismatch between the pace of the property sector and the technology sector. Rapid changes in technology mean that devices and systems built into buildings can quickly become outdated and lack adequate software support.

A typical office building will change hands several times and when it does the information passed on isn’t particularly good

He added that churn of tenants adds a layer of complexity in ensuring that systems are kept up to date. “A typical office building will change hands several times and when it does the information passed on isn’t particularly good,” Hughes says. “New occupants are basically starting from scratch . . . and they don’t have the information to keep everything up to date.”

Microsoft’s Windows 7 software, for example, could have been installed in a building opened in 2013, a year before it stopped being sold. The software group halted updates to the system in 2020. Despite seven years being a short period in a building’s expected lifespan, it represents a lifetime in software with a failure to upgrade these systems in a timely fashion leaving occupants at risk.

Outdated building technology could also affect cyber insurance policies. Insurers consider system failures and cyber attacks made possible by poorly-maintained equipment to be a form of “wilful misconduct”, with any losses excluded from coverage. Separate policies may also be required for physical damage stemming from a cyber attack.

“There is an expectation from the cyber insurance market that a system is kept up to standard,” says Pablo Constenla, an analyst at insurance advisory group Aon. “If it’s too old and they do not update it, the insurer may argue that [any] losses should be excluded.”

Constenla says there is growing awareness of these risks among senior leadership at companies following the introduction of new statutory duties and the proliferation of attacks. But he cautions that insurers are also mitigating their exposure, leading to additional exclusions — including for war or state-backed attacks.

The cost of these attacks are vast. As well as the hit to earnings and the advisory fees, MGM agreed this year to pay $45mn to settle a class action brought by customers over the 2023 attack and an earlier 2019 data breach.

More recently, it emerged that UK carmaker Jaguar Land Rover was insufficiently covered in the wake of a damaging cyber attack in September, leaving it to shoulder billions of pounds in lost revenues and profits, the FT previously reported.

You might be reliant on dozens of providers, each with their own vulnerabilities

MacColl at Rusi cautions that it is not always possible to prepare for an attack, and that suppliers are particularly vulnerable.

“It’s very hard to know what knock-on impacts can be until you have an incident, particularly if you have outsourced IT,” MacColl says. “You might be reliant on dozens of providers, each with their own vulnerabilities.”

Cynthia Kaiser, a former FBI deputy assistant director and now a consultant at anti-ransomware company Halcyon, says companies still need to do more to plan and think about the value of a piece of technology long after it is installed. She says insecure systems can be protected through options as simple as changing passwords through to keeping tabs on who had access to particular devices.

“Not everything is inherently insecure,” she adds. “You just need to prioritise and identify which systems are most vulnerable and fix those first.”