MGM says customer information was stolen during cyberattack, pegs losses at $100 million
MGM Resorts International said Thursday that an undisclosed number of customers had their personal information stolen in a cyberattack last month that took down the casino operator’s hotel, gaming and resort operations in eight states.
However, the company said in a statement it did not believe customer passwords, bank account numbers or payment card information was affected.
In an 8K filing with the U.S. Securities and Exchange Commission, MGM said the cyberattack would cost the casino operator $100 million in adjusted cash flow covering its Strip resorts. The company said in the filing its cybersecurity insurance “should be sufficient to cover the financial impact of the attack on its business.”
Wells Fargo Financial gaming analyst Daniel Politzer told investors in a research note that he wasn’t sure if the $100 million was “better or worse than expected. [We’re] not sure it matters given that it’s covered by cybersecurity insurance.”
The company said information obtained by the hackers included name, contact information (such as phone number, email address and postal address), gender, date of birth and driver's license number.
For a limited number of customers, Social Security numbers and/or passport numbers were also affected. The types of stolen information varied by individual.
In a letter posted to the company’s website, MGM CEO Bill Hornbuckle said the company’s “fast and early response” protected customers’ financial information.
“We responded swiftly, shut down our systems to mitigate risk to customer information, and began a thorough investigation of the attack, including coordinating with federal law enforcement agencies and working with external cybersecurity experts,” Hornbuckle wrote.
“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” Hornbuckle added. “We also believe that this attack is contained.”
The comments were the most substantial disclosure on the cyber breach by MGM Resorts, which said the attack happened on Sept. 11, but it took until Sept. 29 before the company could determine that customer information had been stolen.
MGM saw its business operations in eight states affected by the intrusion, including gaming floors, hotel processes and other guest services. Corporate programs, such as email and casino websites, were knocked offline. Eight days after the attack, MGM announced its resort and casino management systems were operating normally, but there were still reports throughout the rest of the month of downed or affected systems.
MGM Resorts said Thursday it sent emails to customers who had private information stolen, which is required by law. The company has arranged to provide those customers with credit monitoring and identity protection services at no cost to them.
In the SEC filing, MGM said it didn’t foresee any continued effect on its financial results for the rest of 2023, while the company said it incurred less than $10 million in one-time expenses related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisers.
MGM Resorts wasn’t the only casino operator hit by a cyberattack in September.
Caesars Entertainment, in a carefully worded 8K filing with the Securities and Exchange Commission on Sept. 14, acknowledged it was the victim of a cyberattack by unknown hackers who stole data associated with the company’s customer loyalty program.
However, Caesars said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
Most cyber experts suspected Caesars paid a ransom in the millions of dollars to the hackers, although the exact amount is unclear and has not been disclosed by the company.
Cyber experts also said the gaming industry has become an enticing target for cybercriminals because companies have the ability and the willingness to pay large ransom figures.
MGM said it doesn’t believe the fallout from the cyberattack will have an effect on the company’s fourth-quarter operations. The company said it expects a potentially record revenue month in November from business drawn to the Strip by the Formula One Las Vegas Grand Prix race.
In his letter, Hornbuckle thanked the company employees for working through the cyberattacks and customers “for their loyalty and patience” as MGM worked through the matter.
“We regret this outcome and sincerely apologize to those impacted,” Hornbuckle wrote. “Your trust is paramount to us.”