MGM Resorts computers back up; analysts eye effects of casino cyberattacks
MGM Resorts brought to an end a 10-day computer shutdown prompted by efforts to shield from a cyberattack data including hotel reservations and credit card processing, the casino giant said Wednesday, as analysts and academics measured the effects of the event.
"We are pleased that all of our hotels and casinos are operating normally," the Las Vegas-based company posted on X, the platform formerly known as Twitter. It reported last week that the attack was detected Sept. 10.
Rival casino owner Caesars Entertainment also disclosed last week to federal regulators that it was hit by a cyberattack Sept. 7. It said that its casino and online operations were not disrupted but it could not guarantee that personal information about tens of millions of customers, including driver's licenses and Social Security numbers of loyalty rewards members, had not been compromised.
Caesars, based in Reno, is widely reported to have paid $15 million of a $30 million ransom sought by a group called Scattered Spider for a promise to secure the data.
Details about the extent of the MGM breach were not immediately disclosed, including the kind of information that may have been compromised and how much it cost the company.
Gregory Moody, professor and director of the cybersecurity program at the University of Nevada, Las Vegas, pointed to quoted estimates that the computer shutdown cost the company up to $8 million per day, which could put the cumulative effect at $80 million. But Moody also noted that MGM Resorts reports annual revenues above $14 billion, which would mean it averages at least $270 million in revenues per week.
The company reported Wednesday that systems handling resort services, dining, entertainment, pools and spas were operational and its website and app were taking dining and spa reservations while the company worked to restore hotel booking and loyalty reward functions.
"MGM Resorts properties in Las Vegas and throughout the country are back to normal operations," spokesman Brian Ahern told The Associated Press. MGM also has properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio.
FBI spokeswoman Sandra Breault in Las Vegas declined to comment and referred to a previous statement by the agency saying an investigation was ongoing.
Experts said the attacks exposed critical cybersecurity weaknesses at MGM and Caesars and shattered an image of casino invulnerability.
"At this point, all casinos should be moving to the highest defensive posture possible and taking active measures to verify the integrity of their systems and environment, and reviewing - if not activating - their incident response processes," said Christopher Budd, a director of threat research at cybersecurity firm Sophos X-Ops. "There's been attacks against multiple casinos, and it's possible we'll see more."
Caesars Entertainment is the largest casino owner in the world, with more than 65 million rewards members and properties in 18 states and Canada under the Caesars, Harrah's, Horseshoe and Eldorado brands. It also has mobile and online operations and sports betting.
MGM Resorts is the largest private employer in Nevada, operating tens of thousands of hotel rooms in Las Vegas at its flagship MGM Grand and properties including Bellagio, Aria, New York-New York and Mandalay Bay. It also operates resorts in China and Macau. It employees 75,000 people in the U.S. and abroad.
Caesars stock traded Wednesday at $50.17 per share, up 36 cents for the day. MGM shares were at $38.77, down 43 cents. Both companies are expected to disclose effects of the attacks in quarterly reports next month to the Securities and Exchange Commission.
The attack on MGM also has been attributed to Scattered Spider, a group of English-speakers also sometimes known as ktapus operating under a Russia-based operation called ALPHV or BlackCat.
"But there are a lot of conflicting reports," said David Richardson, an executive at cybersecurity firm Lookout. "You have Scattered Spider claiming that they've done both in various forums, and ALPHV, saying that Scattered Spider wasn't involved with the other. But there's a lot of technical evidence that shows that there's a relationship between the two."
Lisa Plaggemier, executive director at the nonprofit National Cybersecurity Alliance, called MGM's decision to shut down vulnerable systems to prevent intrusion a positive step but said it highlighted "significant" security gaps and an urgent need for substantial investment in employee training and cybersecurity. The risk, she said, is "downtime and financial losses."
"Caesars Entertainment's decision to pay the ransom highlighted a lack of confidence and investment in their cyber defenses," Plaggemier said.
Moody, at UNLV, said via email that the attacks showed that even for well-prepared or technically advanced companies, "it is not a matter of if you get attacked, but when you get attacked."
"Any target can be breached, as defense cannot win 100% of the time," he said. "It is not that MGM did 'bad' or was negligent. If an advanced persistent threat, defined by its heightened skills, resources and time, targets you, they will find a way to access what they should not."