MGM Resorts International has filed financial disclosures asserting that the company has suffered approximately $100 million in lost revenue due to the extortion-based cyberattack launched against MGM last month.
The attack, which began on September 11, crippled operations at most MGM Resorts while affecting most major computerized systems. MGM took some systems offline voluntarily as it began investigating the extent of the attack and accompaning theft of customer data.
Most MGM venues experienced long wait lines as hotel-registration systems were forced offline. The affected and often interconnected systems ran the gamut of most venues' operations and services, including ATMs, computerized room keys, parking-ramp access, digitally-banked slots and other jackpot games, credit-card processing, and much more.
MGM properties offering poker suffered impacted services in that area as well, since reservation systems and loyalty-program connections were also forced online. A couple of venues shuttered their poker rooms briefly following the attack's onset.
Investigation revealed some customer data stolen
In the most recent update on the cyberattack, MGM Resorts revealed that an investigation lasting more than two weeks revealed that significant amounts of customer data were also compromised. "The affected information included name, contact information (such as phone number, email address, and postal address), gender, date of birth, and driver's license number," MGM Resorts reported. "For a limited number of customers, Social Security number and/or passport number was also affected. The types of impacted information varied by individual."
The update added, "The Company does not believe customer passwords, bank account numbers, or payment card information was affected by this issue." Much of the stolen data is believed to have come from the accounts of MGM customers that were created before March of 2019. One MGM Resorts property, the Cosmopolitan, is also believed to have been unaffected in terms of actual data theft.
MGM also continues to work with cybersecurity experts and law enforcement agencies to identify and apprehend the groups and individuals responsible for the attack. Hacking groups that have claimed responsibility or have been linked to the attack have been traced to the US, England, Russia, and other countries. No individuals have as yet been apprehended in connection with the attack and theft.
MGM Resorts claims insurance will cover majority of loss
In a separate SEC filing, MGM Resorts pegged the estimated losses attributable to the attack at $100 million to date. The largest share of that estimated loss is due to reduced revenue from hotel-room occupancy at affected properties. MGM Reports expected to post a company-wide occupancy rate of 93% for the month of September, but with its reservation systems offline and customers forced to endure hours-long waits, the actual occupancy rate fell to 88%.
MGM Resorts also incurred another financial hit, estimated at less than $10 million, for various one-time expenses related to the cybersecurity attack. Those expenses consisted of technology consulting services, legal fees, and expenses of other third-party advisors.
The company, though, believes insurance will cover most of the loss. MGM Resorts' SEC disclosure states, "Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined."
New wave of attacks reportedly affecting BetMGM customers
Despite the relatively positive spin the MGM Resorts filings presents, all may not be as well as the company indicated. A new wave of attacks targeting MGM Resorts' sports-betting customers at its BetMGM brand appears to have been launched. Numerous reports posted in the unofficial "MGM Rewards" Facebook group claim that their accounts have been hacked, passwords and contact information changed, and balances withdrawn to presumed hackers' accounts or credit cards, likely of the generic, over-the-counter variety.
Some of the messages also claim that BetMGM's customer service has responded by stating they can't do anything for the allegedly affected customers. The claimed account hackings and theft of funds have yet to verified or acknowledged by BetMGM or any official source. If true, however, it represents a new front in the ongoing wave of attacks.
MGM Resorts to launch help line, credit monitoring
MGM Resorts has also established a dedicated help line where customers can ask questions related to the cyberattack and data theft. The help line is available at 800-621-9437 toll-free Monday through Friday from 8 am to 10 pm Central time, and Saturday and Sunday from 10 am to 7 pm Central time, except for major U.S. holidays. The help line system asks customers to reference engagement number B105892 when calling.
MGM Resorts has also set up a webpage at www.mgmresorts.com/importantinformation with additional information related to the attack's fallout. In a few weeks, MGM Resorts will also be emailing impacted customers, as required by law. MGM will be offering free identity-protection and credit-monitoring services to impacted customers.
