MGM Resorts Cyberattack Cost Operator $100M, Other Updates from CEO
Last month’s widely reported cyberattack on MGM Resorts International, one of the world’s largest gambling firms, resulted in a $100 million hit to its third quarter results, the operator said last week in a regulatory update. Additionally, dealing with the immediate consequences of the cyberattack cost it a one-time outlay of around $10 million in the same quarter.
The company shut down its systems after detecting the attack to contain the damage, and has been working diligently to restore its systems since then. However it has acknowledged that private data of customers who used MGM services before March 2019, including contact information, gender, date of birth, and driver’s license numbers, were obtained by hackers.
MGM asserts that there is no evidence that the data has been used to commit identity theft or account fraud. However, in a letter sent to employees late last week, company CEO Bill Hornbuckle told staff that some passwords were compromised.
“Some employees usernames and passwords to MGM systems were obtained by criminal actors, and as a result, all employee passwords will be reset,” the letter said.
The immediate consequences of the attack were extreme, with nearly all of MGM’s famous Nevada casino venues seeing huge disruption in all areas. The operator claimed the end of the attack after 10 days. But the long-term outcome for MGM and Caesars is not entirely clear yet.
“The full scope of the costs and related impacts of this issue has not been determined,” MGM said last week in the regulatory filing.
Social media posts and claims have continued to circulate alleging unauthorized access and theft from BetMGM accounts up to late last week, with some users asserting that their accounts were accessed and funds were removed to an unknown Visa card.
MGM denies these rumors. “We have no evidence that criminal actors have used this data to commit identity theft or account fraud,” said the letter from Hornbuckle.
In the legal arena, up to nine lawsuits are already filed by customers of MGM and Caesars. The claims and lawsuits, whether valid or opportunistic, underscore the multifaceted challenges organizations face in the wake of a cyberattack, navigating not only the operational and financial fallout, but also managing reputational damage and legal entanglements.
To Pay or Not to Pay
MGM refused to pay the attackers demands, adhering to the FBI’s guidelines of non-negotiation with ransomware attackers.
The FBI maintains that paying a ransom doesn’t guarantee the retrieval of data, and further incentivizes perpetrators to target more victims. This decision contrasts with the approach taken by Caesars Entertainment just weeks earlier, where it opted to pay $15 million to the same hacking group to mitigate operational chaos.
The hacking groups, known as Stalking Spider and ALPH-V, allegedly used social engineering techniques to aid their efforts. That included telephone calls and other interactions with staff at the casino operators, allowing the attackers easier access to company systems.
MGM says that, overall, it expects a $100 million hit to revenues and around $10 million in expenditure on responding to the attack.
Hornbuckle said the company was “well-positioned” for a strong finish to 2023 in Q4. The return of the Formula One Las Vegas Grand Prix in November is expected to be one of the biggest weekends ever for Sin City’s casinos, a dozen of which are owned and/or operated by MGM.