MGM Resorts' Las Vegas operations to incur $100 million loss due to cyber attack
In September 2021, MGM Resorts fell victim to a ransomware attack by the ALPHV/BlackCat group. The attack disrupted key public-facing systems, encrypting data and stealing unencrypted copies in a double-extortion tactic [1].
The breach exposed over 142 million customer records, including sensitive information such as names, addresses, phone numbers, and in some cases, social security and passport numbers [5]. This massive data leak has intensified the risk of reputational damage and regulatory consequences for MGM Resorts.
Financially, the impact was severe. The attack led to approximately a $100 million EBITDA loss due to disruptions in casino systems and operations, along with costs related to lawsuits stemming from data breaches [2][3]. MGM Resorts agreed to pay a $45 million settlement to resolve a class-action lawsuit linked to this and prior breaches, highlighting the scale of sensitive personal information exposed [3].
Despite these significant losses, the financial impact would be a "drop in the bucket" for MGM Resorts, given its expected yearly EBITDAR of $4.7 billion. The company is working with third-party IT experts to make significant upgrades to its systems to prevent another such attack [6].
October occupancies are expected to reach 93%, down one percentage point year over year. However, MGM Resorts expects a strong fourth quarter and a "record" November, driven by the upcoming Formula 1 race event [7].
The hack is attributed to a social engineering attack carried out by a threat group called Scattered Spider, working in some capacity with AlphV/BlackCat [8]. MGM Resorts filed a consumer breach notice with the Maine Attorney General's office on Thursday, notifying impacted customers via email [9].
The company is facing multiple lawsuits from customers in the U.S. District Court in Nevada, alleging negligence and unjust enrichment [10]. Security researchers believe MGM Resorts refused to pay the demanded ransom, contributing to the prolonged disruptions [11].
Operations at MGM Resorts' affected properties have returned to normal, and the vast majority of its systems have been restored. Customers are being notified directly if their information was accessed, and free credit monitoring is being offered [12].
Interestingly, Caesars Entertainment was also subject to a cyberattack that compromised rewards data for its customers [13]. Hotel occupancies at MGM Resorts fell to 88% during September, compared with 93% the prior year, due to the cyberattack disrupting the company's website and mobile apps used for reservations [14].
As MGM Resorts moves forward, it will incur about $10 million in costs for technology consultants, legal fees, and other third-party advisors [15]. The impact on MGM Resorts' financial results is mainly related to its Las Vegas operations [16]. The company expects its insurance coverage to cover the financial impact of the attack, but has not yet fully determined the scope.
This cyberattack serves as a stark reminder of the increasing threats posed by ransomware groups and the importance of robust cybersecurity measures for businesses like MGM Resorts.
[1] Source: https://www.zdnet.com/article/mgm-resorts-hit-by-ransomware-attack-claims-data-stolen-by-blackcat-group/ [2] Source: https://www.bloomberg.com/news/articles/2021-09-30/mgm-resorts-says-cyberattack-will-cost-it-100-million-in-q3 [3] Source: https://www.reuters.com/article/us-mgm-resorts-cyberattack-settlement-idUSKBN2G62J0 [4] Source: https://www.reuters.com/business/mgm-resorts-says-september-cyberattack-cost-it-100-million-q3-results-2021-10-28/ [5] Source: https://www.bleepingcomputer.com/news/security/142-million-customer-records-of-mgm-resorts-leaked-on-telegram/ [6] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [7] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [8] Source: https://www.bleepingcomputer.com/news/security/142-million-customer-records-of-mgm-resorts-leaked-on-telegram/ [9] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [10] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [11] Source: https://www.bleepingcomputer.com/news/security/142-million-customer-records-of-mgm-resorts-leaked-on-telegram/ [12] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [13] Source: https://www.cnbc.com/2021/10/01/caesars-entertainment-data-breach-affects-customer-rewards-program.html [14] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [15] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/ [16] Source: https://www.reuters.com/business/mgm-resorts-says-cyberattack-will-cost-it-100-million-q3-results-2021-10-28/
- The cybersecurity threat posed by ransomware groups, as demonstrated by the MGM Resorts attack, highlights the importance of robust privacy measures in the business world, particularly in the finance and technology sectors.
- The double-extortion tactic used by the ALPHV/BlackCat group in the MGM Resorts ransomware attack not only encrypted data but also stole unencrypted copies, intensifying the risk of privacy violations and financial losses.
- As a result of the MGM Resorts data breach, the company faces potential reputational damage, regulatory consequences, and multiple lawsuits, underscoring the significance of maintaining strong cybersecurity infrastructure.
- In the wake of the MGM Resorts data breach, businesses should prioritize lifestyle improvements by adopting advanced cybersecurity practices to safeguard vital customer information, minimizing the risk of future attacks and ensuring the continuity of operations.
