MGM Resorts International has given further details about a widely publicized cyberattack last month, saying that certain personal customer data was impacted and that the incident will cost the company approximately $100 million.
As the cyberattack broke out last month, leading to disruptions across MGM hotels, casinos and its website, MGM Resorts gave brief updates about how it was working to resolve the matter, but questions remained about the impacts for the casino and resort giant and for its customers. In a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC) and an update on its website, both released on Oct. 5, MGM Resorts filled in some of these blanks, saying that on Sept. 29 it determined that the personal information “of some of its customers” was compromised on Sept. 11.
“The affected information included name, contact information (such as phone number, email address, and postal address), gender, date of birth, and driver's license number,” according to MGM Resorts. “For a limited number of customers, Social Security number and/or passport number was also affected. The types of impacted information varied by individual. The Company does not believe customer passwords, bank account numbers, or payment card information was affected by this issue.”
In its Form 8-K disclosure, MGM Resorts detailed its remediation measures after the cyberattack at a high level, saying after detecting the issue it shut down its systems to “prevent the criminal actors from accessing any customer bank account numbers or payment card information.” This led to the disruptions that had been widely reported across properties, according to MGM Resorts. Operations at MGM domestic properties have since been returned to normal; and while most of the guest-facing systems have been restored, the remaining guest-facing systems that are still impacted will be restored in the coming days, the company said.
MGM Resorts said it believes the operational disruption experienced at its properties during the September incident will have a negative impact on its 2023 third quarter results of around $100 million for the Las Vegas Strip Resorts and Regional Operations segments. However, the company said it expects a “minimal impact” during the fourth quarter and does not expect a material effect on its financial condition and results of operations for the year.
“While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September which was 88% (compared to 93% in the prior year period),” according to MGM Resorts.
MGM Resorts also reported incurring less than $10 million in one-time expenses from consulting services, legal fees and other third-party advisory expenses related to the cyberattack. Though MGM Resorts has not referred to the incident officially as a ransomware attack, a Wall Street Journal report this week said that hackers made ransom demands and that the company refused to pay the ransom.
“Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” according to MGM Resorts.
The cyberattack on MGM Resorts was disclosed around the same time as a separate one on Caesars Entertainment. In a disclosure a few weeks ago, Caesars said that its hack had stemmed from a social engineering attack on a third-party IT support vendor that the company uses. In that incident, attackers were able to access a copy of Caesars’ loyalty program database, which included driver’s license numbers and social security numbers for “a significant number” of program members. Caesars, which determined the unauthorized access on Sept. 7, said that it is investigating if any further personal information was included in the files acquired by the unauthorized actor, and said it has “no evidence to date that any member passwords/PINs, bank account, or payment card information (PCI) were acquired by the unauthorized actor.”