MGM Resorts International has quantified the hack that brought the world’s largest casino company to a virtual standstill in September.
According to a report filed with the SEC on Thursday, the company estimates the overall negative impact of the cyber attack on Q3 earnings will be $100 million.
MGM acknowledged that the full scope of the costs and related impacts is still to be determined, but noted in their filing that "virtually all of [our] guest-facing systems have been restored.”
The hotel and casino conglomerate informed state and federal regulators on Sept. 12 that it was under attack. Days later, hackers from Scattered Spider, a US/UK subgroup of the Russian-speaking ransomware gang ALPHV, took credit for the major business disruption.
MGM said the company had to spend about $10 million on emergency technology consultants and legal fees.
Operational disruption occurred primarily at MGM’s Las Vegas properties, but casinos across the US were impacted. Slot machines showed error messages, ATMs and room keys weren’t working, and the company’s websites and online booking systems went offline.
Over the course of nearly two weeks, MGM hotels went from seeing massive lines as they manually checked in customers to looking practically abandoned.
MGM confirmed in Thursday’s filing that the hackers obtained personal information – including names, addresses, phone numbers, birth dates and even driver’s license numbers – from customers who visited properties prior to March 2019. For a smaller group of customers, hackers may also have obtained Social Security numbers and passport details.
MGM asserted that customer bank account info and credit card numbers were not compromised. The company also noted that the attack did not access data from The Cosmopolitan of Las Vegas, a casino-resort property MGM acquired in May 2022.
“While no company can ever eliminate the risk of a cyber attack,” MGM said in their Oct. 5 SEC filing, “[we have] taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards. These efforts are ongoing.”
Caesars Entertainment, the second largest global casino company, acknowledged that they, too, were hit by the same cyberattackers in September. They, however, reportedly paid $15 million – half of a $30 million ransom demanded – to have their systems unlocked and stolen data returned.
With MGM properties severely hobbled and Caesars casinos running smoothly, the decision to pay the ransom looked to some like the right call for customers and shareholders. But now others are saying their move sets a bad precedent for the industry, and gaming regulators shouldn’t allow casinos to conduct business with criminals.
While the attacks on MGM and Caesars may have come unexpectedly, they were not a total surprise.
Last year, in December, the Nevada Gaming Commission adopted regulations requiring casinos to implement and maintain adequate cybersecurity measures to protect consumers and employees.
The regulations call for casino licensees to conduct an initial risk assessment, establish protocols to monitor cybersecurity, and make modifications to comply with best practices.
Licensees have no more than 72 hours after becoming aware of a significant breach to notify the Gaming Control Board.
These regulations went into effect Jan. 1, 2023, but casino operators are not required to be in full compliance before Dec. 31, 2023.