MGM Report to SEC Details Impact of September Cybersecurity Attack

Author: Keith Stein | Fact checker: Tommi Valtonen · Updated: · Ad Disclosure
Ad Disclosure
BonusFinder is an independent online casino comparison website with affiliate links. This means that we may receive compensation if you take up an offer on our list. Our team is dedicated to finding the best bonuses and casinos for you to play safely, and we review every bonus before adding them to our website.

MGM Resorts International anticipates having the rest of its computer systems up and running in the coming days following a cybersecurity attack on Sept. 11 that almost paralyzed company operations.

The company provided some details on the cybersecurity issue in a Form 8-K report to the U.S. Securities and Exchange Commission (SEC) on Thursday.

On Sept. 12, MGM issued a statement that it had identified a cybersecurity issue affecting the company’s U.S. systems. MGM is one of the largest resort & casino operators in the world with destinations in Las Vegas, Detroit, Maryland, Massachusetts, Mississippi, and New Jersey casinos.

“Promptly after detecting the issue, the company responded swiftly and shut down its systems to mitigate risk to customer information, which resulted in disruptions at some of the company’s properties but allowed the company to prevent the criminal actors from accessing any customer bank account numbers or payment card information,” the company said in the SEC report.

Since that time, operations at the company’s domestic properties have returned to normal and virtually all the company’s guest-facing systems have been restored. The company continues to focus on restoring the remaining impacted systems.

In an email to customers on Thursday, MGM CEO Bill Hornbuckle said affected properties have returned to normal after “sophisticated criminal actors recently launched a cyberattack on MGM Resorts’ IT systems.”

“As part of our remediation efforts, we have rebuilt, restored, and further strengthened portions of our IT environment,” Hornbuckle said.

MGM employees reported not having access to email until Oct. 3, following the Sept. 11 cyber-attack.

MGM told the SEC they believe the operational disruption experienced at its affected properties will have a negative impact on its third quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter.

“Specifically, the company estimates a negative impact from the cyber security issue in September of approximately $100 million to the Las Vegas Strip Resorts and regional operations, collectively,” company officials said in the Form 8-K report. In addition, the company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third-party advisors.

Company officials did warn that after the one-time expenses described above and future expenses, “the full scope of the costs and related impacts of this issue has not been determined.”

MGM admitted to experiencing impacts to occupancy after hotel bookings through the company’s website and mobile applications were affected. It was mostly contained to the month of September which was 88% (compared to 93% in the prior year period).

As of this week, customers can again log into the MGM website and mobile app to book rooms.

The company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by the Formula One 1 auto race slated to occur on the streets of Las Vegas.

MGM believes that unauthorized third-party activity is contained currently. The company has determined, however, that the criminal actors obtained some customer information from transactions prior to March 2019. For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors.

“At this time, the company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors,” MGM said. “The company also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud.”

In the coming weeks, the company will provide notification by email to individuals impacted by this issue as required by law. It will offer those individuals free identity protection and credit monitoring services.

MGM said it is taking significant measures, working with industry-leading third-party experts, to enhance its system safeguards further.

BetMGM, one of the leading sports betting and iGaming operators in the U.S., remained open for online sports betting and casino gaming despite the cyber-attack in September. BetMGM is a partnership between MGM and Entain PLC.

author
Author
Political Editor
Keith Stein is a freelance journalist based in Virginia. He has experience in freelance writing, full-time journalism and supporting monthly and weekly news publications. He has also worked as a contributing writer with United Press International.