MGM Resorts reveals that last month's cyberattack cost the company $100 million and allowed the hackers to steal customers' personal information.
The hospitality and entertainment giant disclosed a cybersecurity issue on September 11, 2023, which impacted its main website, online reservations systems, and in-casino services like slot machines, credit card terminals, and ATMs.
A few days later, it was revealed that the threat actor responsible for the disruption was an affiliate of the BlackCat/ALPHV ransomware gang known as Scattered Spider.
These hackers breached MGM's network using social engineering, stole sensitive data, and encrypted over a hundred ESXi hypervisors.
The impact of the IT system outage, which continued for an extended period, was substantial as the cyberattack disrupted a broad range of its business operations.
"[MGM] estimates a negative impact from the cyber security issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively," reads a FORM 8-K filing with the SEC.
"While the Company experienced impacts to occupancy due to the availability of bookings through the Company's website and mobile applications, it was mostly contained to the month of September which was 88%."
In addition to losing $100 million in earnings, MGM also suffered less than $10 million in one-time expenses for risk remediation, legal fees, third-party advisory, and incident response measures. MGM says it expects to be fully covered by its cybersecurity insurance.
Overall, MGM asserts that the financial impact will be predominantly confined to Q3 2023 and does not anticipate any significant effect on its annual financial performance.
MGM Resorts believes that the incident has been contained, and all of their guest-facing systems have now been fully restored, with any remaining systems in offline status expected to resume normal operations in the coming days.
Customer data stolen
MGM is also warning that the threat actors managed to steal the personal information of customers who transacted with MGM before March 2019.
A separate notice was sent to impacted individuals yesterday, informing them that the following details have been exposed to the cyber criminals, which varies depending on the individual:
- Full name
- Phone number
- Email address
- Postal address
- Gender
- Date of birth
- Driver’s license
- Social Security Number (SSN)
- Passport number
MGM concludes that its investigation has not unearthed signs that the incident exposed customer passwords, bank account numbers, and payment card information.
The company provides free credit monitoring and identity protection services to those impacted by the data breach and warns customers to remain vigilant against unsolicited communications.
"We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your free credit reports," warns MGM Resorts.
"We also recommend that you remain alert for unsolicited communications involving your personal information."
Comments
Hmm888 - 4 months ago
I was MGM's victim back in 2019. I foolishly used my "special" discrete Gmail account which I gave to only a few trusted contacts. Since then, I have been receiving a tonne of spam in German (I'm not German and I have neither been there) about explicit content. While Gmail catches most, they don't catch all of this spam written in German. They use unique emojis and more. Filters are immune to sorting them into the Trash. My Hotmail account which I had long before Google existed (anyone remember AltaVista) and use now for spam mailings doesn't receive explicit sexual content emails.
Anyway, MGM and Caesars, like most large entities and corporations don't care, they don't want to learn from their mistakes. They have insurance to cover any losses and have no incentive.They (like Caesars) concede to the terrorists despite knowing very well the data will be sold on the dark web whether you pay the ransom or not.
These businesses/corporations/entities and government departments may think twice about paying the ransomware if they didn't have insurance, but in the end, they probably will. That cost will be passed on to their clients and patrons. Rinse and repeat.
I think it's imperative the government pass laws that prevent such expenses or costs to be paid or passed onto their customers. And insurance companies need to wake up and stop selling these insurance plans. Until then, expect your data to be breached and carry a lot of cash in your wallet when the time comes and you can't pay by Tap, credit or debit card.