MGM Resorts expects $100m hit from cyberattack

The operator was forced to shut down certain systems on 11 September over a cybersecurity issue. The MGM Resorts website was also down for a period during the cyberattack.

MGM published an update a week later saying it was working to “normalise” operations at its Excalibur Las Vegas casino.

Now, MGM says operational disruption at affected properties will have a negative impact on Q3, which concluded on 30 September. This, it says, will predominantly hit the performance of its operations in Las Vegas.

Specifically, adjusted property EBITDAR for Las Vegas Strip Resorts and Regional Operations segments will be negatively impacted by $100.0m in Q3.

MGM upbeat over Q4 and full year

However, MGM adds that there will only be minimal impact in Q4, while it does not expect a material effect on its financial condition and results for the full year.

MGM adds that it expects a record November, driven by the Formula 1 motor-racing event that will take place for the first time in Las Vegas next month.

In terms of bookings, MGM says room occupancy was mostly contained in September, with occupancy rate for the month at 88%. This was down from 93% in September 2022.

In addition, MGM notes that it incurred less than $10m in one-time expenses in Q3 related to the cyberattack. These included technology consulting services, legal fees and expenses of other third-party advisors.

However, MGM adds that it is still unsure as to the full financial impact of the incident.

“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” MGM said.

“Based on the ongoing investigation, the company believes that the unauthorised third-party activity is contained at this time.”

MGM pledges to support customers

In a further update, MGM has revealed the type of information that was stolen during the attack. This includes the name, contact information, gender, date of birth and driver’s licence number of some customers.

MGM also says for a limited number of players, social security number and passport number was also affected. It adds that the types of impacted information varied by individual.

However, MGM stressed that it does not believe player passwords, bank account numbers or payment card information was affected.

Soon after learning of the cyberattack, MGM took steps to protect its systems and data, including shutting down certain systems. It also launched an investigation with the assistance of cybersecurity experts and continues to coordinate with law enforcement over the case.

MGM is now in the process of notifying impacted customers and has arranged to provide those customers with credit monitoring and identity protection services free of charge.

“MGM Resorts takes the security of its systems and data very seriously and has put in place additional safeguards to further protect its systems,” MGM said.

A hacker group called Scattered Spider, reportedly part of a ransomware collective, is claiming responsibility for the breach.

Scattered Spider said it launched ransomware attacks across MGM’s systems. The group also threatened further attacks on MGM’s infrastructure if MGM failed to meet payment demands.

Caesars also hit by cyberattack

In the days after MGM was hit by the cyberattack, Caesars Entertainment also reported a similar issue. In a filing with the Securities and Exchange Commission on 14 September, the operator said its loyalty programme was compromised.

Following an investigation, it was revealed attackers obtained customer data including a copy of Caesars’ loyalty programme database. This database detailed the driver’s licence numbers and social security numbers of various loyalty programme members.

Caesars added that its customer-facing facets, such as Caesars Entertainment locations and mobile gaming apps, were unaffected by the attack.

Sources reported in the media that Caesars paid tens of millions of dollars in ransom to the cyberattackers. It is understood that MGM did not pay any ransom after its attack.

FBI says Lazarus Group responsible for Stake.com attack

Also in September, cryptocurrency online sportsbook and casino Stake.com was hit by a series of unauthorised transfers. Stake.com identified issues related to Ethereum, Polygon and the Binance Smart Chain. The FBI confirmed earlier reports that $41.0m worth of cryptocurrency was impacted.

The FBI later identified cybercrime organisation Lazarus Group as the party responsible. It also confirmed earlier reports that $41.0m worth of cryptocurrency was impacted.

Also known as APT38, Lazarus Group is affiliated with Democratic People’s Republic of Korea (DPRK).