blog post
MGM Data Breach
Last month, MGM Resorts suffered a significant data breach that the company has characterized as a cyberattack, anticipated to set back the casino behemoth upwards of $100 million, according to a statement from the Las Vegas-headquartered firm.
The breach, identified on September 10, prompted MGM to temporarily disable certain computer systems at its various U.S. locations to safeguard data. As a result, operations such as reservations and casino floors, including the Borgata in Atlantic City, faced disruptions. Customers took to social media to report issues with credit card transactions, ATM withdrawals, and hotel room access. On September 20, MGM declared the conclusion of its 10-day system shutdown.
The breach appears to resemble a ransomware attack aimed at extortion, although MGM has yet to confirm this. Brett Callow from Emsisoft, a cybersecurity firm, suggests that if it is indeed a ransomware attack, it might set a record as the most expensive one to date. For comparison, Norsk Hydro, a Norwegian aluminum manufacturer, incurred a $70 million loss in 2019 after declining to pay a ransom.
MGM CEO Bill Hornbuckle reassured customers in a letter, stating, “While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored.” He confirmed the containment of the attack and clarified that while no financial data was compromised, personal information such as names, contact details, and Social Security numbers of certain customers were stolen.
Although there is no evidence of the stolen data being misused, MGM plans to offer free identity protection and credit monitoring services to affected individuals. Hornbuckle apologized for the inconvenience caused.
In an SEC filing, MGM indicated that the data breach is expected to negatively influence its third-quarter financial results, especially in Las Vegas, but foresees minimal impact in the fourth quarter and overall annual operational results. The estimated loss includes not just adjusted property earnings, but also one-time expenses such as legal fees and technology consulting, totaling less than $10 million.
MGM wasn’t the sole casino operator targeted by hackers in September. Caesars Entertainment also reported a cyberattack on September 7, though it did not disrupt its casino and online operations. Caesars reportedly paid half of a $30 million ransom demanded by a group named Scattered Spider. MGM, however, is said to have refused to comply with the hackers’ ransom demand, according to a Wall Street Journal report.
Both MGM and Caesars are presently subject to nine federal lawsuits in connection with the cyberattacks, as reported by the Las Vegas Review-Journal this week.
By the time this is over, don’t be surprised to see costs close in on a Billion. Not too shabby for a 5 minute social engineering call to a help desk operator.
Author
Steve King
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.