No arrests to date in MGM, Caesars cyberattacks

Haley Hintze Author Photo
Haley Hintze
Posted on: November 19, 2023 12:51 PST

Authorities continue to gather evidence and investigate leads in September’s extortion-based cyberattacks targeting casino giants MGM Resorts and Caesars Interactive. However, according to a recent Reuters update, no arrests have been made in connection with the attacks to date.

The situation has become quizzical to officials from some of the third-party firms involved in the ongoing investigation, according to the report, because the US’s Federal Bureau of Investigation (FBI) has known the identities of “at least a dozen members” affiliated with the “Scattered Spider” hacking group that claimed responsibility for the hacks. The information, according to Reuters, was confirmed by four different officials among several American cybersecurity firms that continue to work with the casinos in investigating the attacks.

The experts cited several possible explanations for what they described as a sluggish response to date. Those explanations ranged from the secretive and loose-knit nature of the hacking groups, a possible lack of manpower at the FBI and other investigative agencies, and possible reticence on the part of MGM or Caesars to cooperative in a complete and ongoing manner. An ex-FBI official contacted by Reuters told the agency, “What I encountered working on the ransomware stuff is basically nine out of 10 times the company did not want to cooperate.” That reticence may be boosted somewhat by the reality that the losses connected to the cyberattacks have already been written off by the companies involved.

Hundreds of millions of dollars lost to attacks

The MGM and Caesars attacks represent just a tiny fraction of the hacking targeting major corporations. The Scattered Spider group and several related hacking entities have been on the FBI’s radar for roughly two years, and have been notably more aggressive in their attacks on the corporate targets. An executive with Maryland cybersecurity firm ZeroFox, which is working with Caesars, told Reuters that there have been 230 such attacks targeting large corporations in the past couple of years.

Though not all attacks bring extortion payments to the hackers, the overall cost is enormous. Caesars opted to pay the extortionists a reported $15 million to have control of its data systems and user information returned, although a post-attack investigation revealed that a large quantity of customer data had been compromised, and the company has launched an identity-protection program for perhaps hundreds of thousands of its Caesars Rewards loyalty program members.

MGM Resorts, in contrast, did not cave in to the extortion demands. In taking almost all of its computerized systems offline, however, the company may have absorbed a $100 million hit in lost business and other expenses, though the company has issued a statement its belief that insurance coverage will cover most or all of the losses.

MGM’s decision to take its systems offline and add extra security measures before relaunching them had impacts at almost all MGM properties. The downtime impacted several MGM-owned poker rooms, due to its loyalty system being unavailable for registering players into cash games or tournaments. One temporary victim of the downtime was the Fall Mini Series at the Borgata in Atlantic City, which was postponed from October to November due to the attack.