Cybersecurity

MGM Resorts anticipates no further disruptions from September cyberattack

MGM Resorts International said it does not expect any further operational disruptions related to a massive September cyberattack. 

The company, which operates more than 30 casino hotels across the globe, disclosed a social-engineering attack that disrupted casino operations, card payments and other facilities at some of its most iconic properties in Las Vegas. 

MGM Resorts previously disclosed the attack would cost more than $100 million in losses, mostly related to its Las Vegas area operations. 

“Over the following weeks, we fully restored [and] enhanced these systems and were fully operational by the end of the month,” MGM Resorts CEO William Hornbuckle said during the company’s third quarter earnings call. “Following the issues, we have seen incredible resilience in our business to start the fourth quarter going forward.”

Much of the impact was due to a loss of revenue from room cancelations and other efforts to restore service, MGM Resorts CFO Jonathan Halkyard said during the call. The impact on the fourth quarter will be limited, as some bookings from early October fell through, according to Halkyard.

Insurance will cover the losses incurred, Hornbuckle said. The cyberattack is not expected to have a material impact on financial results or operations, the company said Wednesday in a 10-Q filing with the Securities and Exchange Commission

The company did not give an estimate on how big the insurance filing will be, but JMP Securities analyst Jordan Bender previously said MGM Resorts had a policy that covered about $200 million for business interruption and ransomware. 

MGM Resorts took steps to lock down its systems, and is looking at system design issues as it expects to spend up to $40 million on IT investments next year, Hornbuckle said. 

During the Q&A, Hornbuckle noted that insurance costs for cyber and otherwise have risen sharply in recent years. He said the cost of Las Vegas insurance has doubled since 2019 and gone up fourfold in the company’s regional casinos. 

MGM Resorts and rival Caesars Entertainment were the targets of sophisticated social engineering attacks by criminal threat groups researchers identify as Scattered Spider and ALPHV or BlackCat. Security researchers suspect the groups worked together on these attacks under a ransomware as a service affiliation model.

MGM Resorts is the subject of multiple class-action lawsuits related to the attack, but said can’t predict the timing of when they may be resolved.

The company confirmed it was attacked by third-party criminal actors, who stole personal contact data, dates of birth, drivers license numbers and other sensitive data of some customers. A limited number of customers had their Social Security numbers and passport information stolen, according to the SEC filing. 

MGM Resorts warned it may face additional litigation, investigations, regulatory inquiries or enforcement actions and said it is reasonable to expect financial losses related to the various legal proceedings, but too early to estimate a total cost