MGM Resorts Expects $100 Million Loss From Hack AttackCyber Insurance Expected to Cover Lost Revenue Plus $10 Million in Mitigation Costs
Hotel and casino giant MGM Resorts said the recent hack attack against it cost $110 million in lost revenue and mitigation expenses. The publicly traded company expects to recoup losses and costs to date via cyber insurance.
MGM Resorts said that while its investigation remains ongoing, it has found that on Sept. 11, an attacker stole information that dates from before March 2019. Exposed data includes some customers' name, contact information, gender, birthdates and driver's license numbers, as well as Social Security or passport numbers.
The company said it doesn't believe attackers stole customers' MGM Resorts account passwords, bank account numbers or payment card information. It has not yet stated how many individuals were affected.
MGM Resorts is one of the world's biggest casino operators, running 31 casino hotels globally. The company's hotels on the Las Vegas Strip include the Mandalay Bay and the MGM Grand, the third-largest hotel complex in the world. The company also operates casino hotels in Maryland, Michigan, Mississippi, New Jersey, New York and Ohio, as well as China.
The company said it had detected the attack on Sept. 10, after which it fell back to pen-and-paper processes, although its booking and reservation systems remained offline. The attack also led to customers being unable to use ATMs, hotel room door lock key cards and many slot machines.
The underlying IT outage was part of MGM Resorts' rapid response to the attack, Bill Hornbuckle, CEO and president of MGM Resorts, said in a letter to customers.
"We responded swiftly, shut down our systems to mitigate risk to customer information and began a thorough investigation of the attack, including coordinating with federal law enforcement agencies and working with external cybersecurity experts," he said. "While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored. We also believe that this attack is contained."
Hornbuckle added that "as part of our remediation efforts, we have rebuilt, restored and further strengthened portions of our IT environment."
The company has not said how attackers were able to breach its systems. Nevada's gaming commission, which regulates the sector, has said it wants details of the attack so it can share lessons learned with other companies. Officials said they would not press for such information until after the company's response effort has concluded.
Anecdotal evidence suggests the attacker successfully tricked a help desk employee into giving them access to an employee account, allowing them to bypass multifactor authentication controls from identity management company Okta. The security vendor warned last month that it had seen a surge in such attacks over the past year, and many of them traced to Scattered Spider - aka UNC3944 or Muddled Libra - which is a security industry codename for a group suspected of being an affiliate of the Alphv ransomware-as-a-service group, which develops and supplies its affiliates with BlackCat ransomware.
MGM Resorts has declined to respond to questions about whether or not it paid a ransom. Citing an unnamed source with knowledge of the company's response, The Wall Street Journal on Thursday reported that the company had not paid a ransom.
If so, that stands in contrast to rival hotel and casino operator Caesars Entertainment, which appears to have been targeted by the same group as early as Aug. 27. Caesars told investors it had paid a ransom to attackers in return for their promise to delete stolen data. The amount paid by the company was reportedly half of the attackers' initial $30 million demand.
Law enforcement and ransomware officials continue to urge victims to never pay a ransom for anything intangible, such as promises from extortionists to delete data, saying there is no evidence such a promise has ever been honored.
MGM Resorts Warns of Lost Revenue
As a result of the attack on MGM Resorts and its response, the publicly traded company told investors in a Thursday regulatory filing that it expects to record $100 million in lost earnings before interest, taxes, depreciation and amortization for the third quarter. The company said it has also spent about $10 million on response, including for IT consulting, legal fees and other advisers.
MGM Resorts said that while it "believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined."
The company said September occupancy declined to 88% - compared to 93% for September 2022 - due to customers being unable to make bookings via its website or mobile application. The company said it expects to have a strong fourth quarter, forecasting occupancy rates of 93% in October, compared to the 94% it saw in October 2022.
MGM Resorts said it will soon begin directly notifying affected customers via email and will offer them two years of identity theft monitoring via Experian.
"We regret this outcome and sincerely apologize to those impacted," Hornbuckle said. "Your trust is paramount to us."