MGM Resorts reveals that last month’s cyberattack cost the company $100 million and allowed the hackers to steal customers’ personal information.
The hospitality and entertainment giant disclosed a cybersecurity issue on September 11, 2023, which impacted its main website, online reservations systems, and in-casino services like slot machines, credit card terminals, and ATMs.
A few days later, it was revealed that the threat actor responsible for the disruption was an affiliate of the BlackCat/ALPHV ransomware gang known as Scattered Spider.
These hackers breached MGM’s network using social engineering, stole sensitive data, and encrypted over a hundred ESXi hypervisors.
The impact of the IT system outage, which continued for an extended period, was substantial as the cyberattack disrupted a broad range of its business operations.
“[MGM] estimates a negative impact from the cyber security issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively,” reads a FORM 8-K filing with the SEC filing.
“While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September which was 88%.”
In addition to losing $100 million in earnings, MGM also suffered less than $10 million in one-time expenses for risk remediation, legal fees, third-party advisory, and incident response measures. MGM says it expects to be fully covered by its cybersecurity insurance.
Overall, MGM asserts that the financial impact will be predominantly confined to Q3 2023 and does not anticipate any significant effect on its annual financial performance.
MGM Resorts believes that the incident has been contained, and all of their guest-facing systems have now been fully restored, with any remaining systems in offline status expected to resume normal operations in the coming days.
Customer data stolen
MGM is also warning that the threat actors managed to steal the personal information of customers who transacted with MGM before March 2019.
A separate notice was sent to impacted individuals yesterday, informing them that the following details have been exposed to the cyber criminals, which varies depending on the individual:
- Full name
- Phone number
- Email address
- Postal address
- Gender
- Date of birth
- Driver’s license
- Social Security Number (SSN)
- Passport number
MGM concludes that its investigation has not unearthed signs that the incident exposed customer passwords, bank account numbers, and payment card information.
The company provides free credit monitoring and identity protection services to those impacted by the data breach and warns customers to remain vigilant against unsolicited communications.
“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your free credit reports,” warns MGM Resorts.
“We also recommend that you remain alert for unsolicited communications involving your personal information.”