MGM Resorts Suffers $100 Million Loss and Data Breach from Devastating Ransomware Attack

MGM Resorts Reveals $100 Million Cost and Customer Data Theft in Cyberattack

IT Services has revealed that a recent cyberattack has resulted in a $100 million cost to the company and the theft of customers’ personal information.

On September 11, 2023, the hospitality and entertainment giant disclosed a cybersecurity issue that affected its main website, online reservations systems, and in-casino services such as slot machines, credit card terminals, and ATMs.

Further investigation revealed that the responsible threat actor behind the attack was Scattered Spider, an affiliate of the BlackCat/ALPHV ransomware gang.

These hackers gained access to MGM’s network through social engineering techniques, stealing sensitive data and encrypting over a hundred ESXi hypervisors.

The cyberattack had a significant impact on MGM’s business operations due to the prolonged IT system outage.

A FORM 8-K filing with the SEC states, “[MGM] estimates a negative impact from the cybersecurity issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively.”

While the availability of bookings through the company’s website and mobile applications impacted occupancy, it was mostly limited to the month of September, accounting for 88% of the loss.

In addition to the $100 million loss in earnings, MGM also incurred less than $10 million in one-time expenses for risk remediation, legal fees, third-party advisory services, and incident response measures. The company expects to be fully covered by its cybersecurity insurance.

MGM asserts that the financial impact will primarily affect Q3 2023 and does not anticipate any significant effects on its annual financial performance.

MGM Resorts assures that the incident has been contained, and all guest-facing systems have been fully restored. Any remaining systems still offline are expected to resume normal operations in the coming days.

Customer Data Stolen

IT Services also warns that the threat actors successfully stole the personal information of customers who conducted transactions with MGM prior to March 2019.

A separate notice has been sent to affected individuals, informing them of the exposed details, which vary depending on the individual:

• Full name
• Phone number
• Email address
• Postal address
• Gender
• Date of birth
• Driver’s license
• Social Security Number (SSN)
• Passport number

MGM concludes that its investigation has not discovered any evidence of customer passwords, bank account numbers, or payment card information being exposed in the incident.

The company is offering free credit monitoring and identity protection services to those affected by the data breach and advises customers to be cautious of unsolicited communications.

“We recommend that you review account statements and monitor your free credit reports to remain vigilant against incidents of fraud and identity theft,” advises MGM Resorts.

“Additionally, please remain alert for unsolicited communications involving your personal information.”