MGM Resorts recently disclosed that it faced a significant cyberattack last month, which led to a financial setback of $100 million and a compromise of the personal data of its customers.
On September 11, 2023, the leisure and entertainment behemoth reported a digital security breach that affected its primary website, online booking platforms, and on-site amenities such as slot machines, credit card facilities, and ATMs.
Subsequent investigations identified the culprits behind this cyber onslaught as Scattered Spider, a subgroup affiliated with the infamous BlackCat/ALPHV ransomware collective.
Using adept social engineering techniques, these cybercriminals infiltrated MGM’s systems, extracting sensitive information and encrypting more than a hundred ESXi hypervisors.
The resulting system downtime had a wide-reaching effect, significantly hindering many of MGM’s operational facets.
According to an SEC FORM 8-K submission, “MGM’s September cybersecurity setback has projected an adverse financial impact of approximately $100 million on the Adjusted Property EBITDAR for the Las Vegas Strip Resorts and other regional activities. Notably, while the website and app bookings faced disruptions, the predominant effects were during September, with an occupancy rate of 88%.”
Beyond the $100 million in lost revenue, MGM also incurred additional costs nearing $10 million. These costs were associated with risk mitigation, legal counsel, expert consultancy, and actions taken in response to the incident. Thankfully, MGM’s cybersecurity insurance is anticipated to cover these expenses.
MGM emphasizes that while Q3 2023 will show these financial impacts, they don’t foresee any lasting detriment to their annual fiscal outcomes.
The company now confirms that the breach has been neutralized. Their customer-centric systems are operational again, and any remaining offline modules should be back on track soon.
However, MGM cautions that clients who interacted with the company before March 2019 might have had their personal data accessed. Impacted patrons received notifications detailing the potential exposure of various personal details, ranging from basic contact information to sensitive identifiers like Social Security Numbers and passport details.
Fortunately, MGM’s internal inquiry hasn’t found evidence of password, bank, or payment card information leaks.
As a remedial measure, MGM offers complimentary credit surveillance and identity safeguarding services to the affected parties. The company also urges customers to be proactive, advising, “It’s crucial to stay alert against potential fraudulent activities by regularly scrutinizing account activities and overseeing free credit updates. Moreover, always be skeptical about unexpected communication attempts seeking your personal data.”
This situation underlines the importance of cybersecurity vigilance and the potential ramifications of lapses.