Cyberattack on MGM Resorts to Cost Approximately $100 Million in Q3, Affects Las Vegas Operations

MGM Resorts has disclosed that the cyberattack it experienced in September will have a significant impact on its third-quarter financial results, estimated at around $100 million, primarily affecting its Las Vegas operations. The costs incurred will encompass approximately $10 million for technology consultants, legal fees, and other third-party advisors.

MGM Resorts’ President and CEO, Bill Hornbuckle, conveyed his apologies to customers and gratitude to employees who faced disruptions due to the cyberattack. Although operations at the affected properties have returned to normal, the company reported a drop in hotel occupancies for September, with a rate of 88%, compared to 93% the previous year, primarily attributed to disruptions to the company’s website and mobile apps used for reservations.

The company remains optimistic about a strong fourth quarter, with a projected “record” November, driven by an upcoming Formula 1 race event. They anticipate October occupancies to reach 93%, down by one percentage point year over year.

MGM Resorts also confirmed that sensitive customer data from transactions conducted with the company before March 2019 was compromised by unidentified criminal actors. This data includes names, addresses, phone numbers, emails, dates of birth, driver’s license numbers, and, in some instances, social security and passport numbers. The company asserts that passwords, credit card numbers, or bank account information were not accessed, and there is no evidence of the stolen personal data being used for fraudulent purposes. Customer data from The Cosmopolitan of Las Vegas was not breached.

The company is working with third-party IT experts to implement substantial system upgrades aimed at preventing future cyberattacks. The hackers claimed to have accessed the company’s Okta environment, which had been the target of multiple social engineering attacks. Although Okta denied that its environment at MGM Resorts was compromised, it confirmed cooperation with the company to address the incident.

Security researchers have attributed the hack to a social engineering attack orchestrated by a threat group called Scattered Spider, possibly connected to AlphV/BlackCat. In a separate incident, Caesars Entertainment also experienced an attack compromising rewards data for its customers.

MGM Resorts anticipates that its insurance coverage will be adequate to offset the financial impact of the attack, although the complete extent of this impact is yet to be determined. JMP Securities analyst Jordan Bender noted that MGM Resorts had insurance covering approximately $200 million for business interruption and ransomware-related expenses.