FTC files lawsuit demanding MGM cooperation in cyberattack probe
The FTC’s petition in the US District Court in Nevada seeks an order to force MGM Resorts to respond to its investigation into the September 2023 breach at the group’s Las Vegas Strip properties.
The move comes just weeks after MGM submitted a lawsuit of its own in Washington DC’s Federal Court. In April, the group argued it does not have to comply with the FTC’s Civil Investigation Demand (CID) because it is not a financial institution.
The casino company also asked for FTC chair Lina Khan to recuse herself from the case since she was on site when the cyberattack in Las Vegas took place.
FTC refutes MGM claims
In its new Nevada filing, the FTC has argued that MGM Resorts comes under its purview as it is an institution that extends customers credit. It described MGM’s argument as “meritless”.
“MGM may argue… that it is not the type of entity subject to the Safeguards Rule and Red Flags Rule (respectively, a “financial institution” or “creditor”) and therefore the CID is improper. That argument is meritless. In the first instance, MGM’s jurisdictional objection has no bearing on the CID’s requests for information relevant to unfair or deceptive acts or practices violating Section 5 of the FTC Act and MGM cannot deny that it is subject to the FTC Act,” the filing read.
If the court rules in favour of the FTC, MGM will have 10 days to respond to the information requested in the CID.
The legal battle relates to the large-scale cyberattack launched against MGM in September last year. MGM was forced to shut down certain systems across its US properties due to the attack. Access to MGM hotel rooms and slot machines were affected by the attack.
Hacker group Scattered Spider claimed responsibility for the attack days after it took place. It said that it would launch further attacks on MGM’s infrastructure if MGM did not meet demands for payment.
Why was the MGM suit filed?
The April suit outlined that MGM is seeking “injunctive and declaratory relief” against the FTC. MGM is claiming that actions carried out by the FTC and Khan have deprived MGM of its rights within the due process clause of the Fifth Amendment.
This clause stipulates that bodies subject to government action are granted a hearing in front of an unbiased tribunal. It also outlines guaranteed fair treatment under the law.
The suit cites media reports, which stated that Khan “and an unnamed senior aide” were staying at one of MGM’s Las Vegas properties at the time of the cyber attack.
As the IT systems were down, according to a report from Bloomberg, a member of staff asked Khan and her staff to write down their credit card information on paper.
Khan then asked the employee how MGM was handling data security in wake of the attack. The employee reportedly said he didn’t know.
The FTC investigation was launched following this exchange. The FTC issued a Civil Investigative Demand (CID) on 25 January 2024 to obtain a response to Khan’s question. According to the suit, the CID asks for information from more than 100 categories across periods that precede the attack.
The following month MGM estimated that the attack would damage its adjusted property EBITDAR for the third quarter by $100.0m (£80.3m/€94.1m). Despite this, it reported record revenue of $3.97bn in Q3. Presenting its Q3 results, CEO Bill Hornbuckle said MGM “went to hell and back” as a result of the attack.
Caesars describes cyberattacks as “new norm”
Caesars was also hit by a cyberattack in September. The operator said that its loyalty programme database was breached as part of the attack.
Earlier this week, Nicole Solaita, SVP and chief audit executive at Caesars, told a KPMG webinar that cyber threats in the gaming industry are now “our new norm”.
Reflecting on the highly impactive cyber-attack on Caesars last September, Solaita told the audience: “Unfortunately I’ve realised that this is really going to be our new norm in this corporate space.
“Education for the employees is so key in this space and training is clearly fundamental. But as much as you train and you try to be prepared, we’re seeing that some of these cyber events haven’t been all that sophisticated,” she said.