Executive Summary
MGM Resorts International, one of the world’s largest gambling firms, recently suffered a cyberattack resulting in a projected $100 million financial hit for the third quarter.
Although the breach exposed sensitive customer data predating March 2019, no evidence of identity theft or fraud has emerged. Also, the company determined that no customer bank or payment information was compromised.
MGM Resorts expects a minor dip in occupancy rates for October but anticipates a strong fourth quarter.
Despite the financial impact, MGM Resorts believes it has adequate insurance coverage, though the full extent of the breach’s consequences is yet to be determined.
Attack and Response
MGM Resorts promptly responded to the cyberattack by shutting down its systems to contain potential damage.
Customers shared images on social media following the attack, showing slot machines displaying error messages and long queues at hotels in Las Vegas. MGM has not commented on whether any ransom was demanded or paid.
While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored
said MGM Resorts President and CEO Bill Hornbuckle in an open letter to customers.
Hornbuckle apologized to customers and also expressed gratitude to employees who were stretched thin by the attack, as hotel services like reservations, casino gaming, digital keys and other services were disrupted.
For more information about the MGM cyberattack, you can visit the following news articles about the attack:
- MGM Resorts System Outage due to Cyberattack
- Key Insights Revealed about MGM Resorts Attack
- MGM Ends 10-Day Shutdown Amid Cyberattack
Data Breach Details
MGM Resorts filed a consumer MGM Resorts filed a consumer breach notice with the Maine Attorney General’s office on October 5th, revealing that the breach was initially discovered between September 8 and September 12. According to the notice, the company determined on Sept. 29 that an unauthorized actor obtained the data of MGM Resorts customers on Sept. 11. Impacted customers are being notified via email.
The breach compromised the private data of customers who had used MGM services before March 2019. This included contact information, gender, date of birth, and driver’s license numbers. The company also suspects a limited number of Social Security numbers and passport numbers were accessed.
We have no evidence that the criminal actors have used this data to commit identity theft or account fraud.
MGM clarified
Financial Impact
The full extent of the costs and impacts of the breach is still unknown. However, MGM estimates that its adjusted property core profit for its Las Vegas Strip division will be negatively impacted by approximately $100 million.
Additionally, they anticipate incurring around $10 million in one-time costs for the quarter ending on September 30.
They also expect a slight decline in occupancy, with a decrease from 94% to 93% in October compared to the same month in the previous year.