The MGM Resorts casino hack … where was the regulator?
The hacking of MGM Resorts’ computer and data storage systems in September last reportedly cost the group around US$100 million in EBITDAR, according to its SEC filing dated October 5, 2023. Having personally experienced the impact of the cyberattack, I believe it would have suffered even greater losses, but for the apparent slow response of its casino regulator, the Gaming Control Board. Let me explain.
I checked into MGM’s Aria property on the Las Vegas strip on 12 September, having stayed there, without incident, a week earlier. While travelling from Utah back to the property, I heard a radio report that Strip properties operated by MGM has been the target of a large scale cyberattack. It came as no surprise, therefore, that check-in was chaotic, as staff had to complete formalities manually. Clearly additional personnel had been drafted in to deal with reams of computer printouts containing reservation details, which had to be consulted and cross-checked with customer ID. Quite an undertaking for a property with around 4000 rooms! In the circumstances the front desk folk could not be faulted for their performance.
On walking through the casino to the elevators (which incidentally were staffed by employees to mitigate the risk of patrons being stuck in them), ATMs and machines and tables all appeared to be functioning normally. This was a contrast with the hotel’s bars which by that time were cash only, and no room charges. Several hours later, while sat at a bar adjacent to the gaming floor, I noticed a number of people sitting at machines with tower lights illuminated, apparently waiting for a machine re-set or a hand-pay. To get a better appreciation of what was happening, I played a 10c TITO machine, cashing out, or rather attempting to when I had a small win. No ticket was forthcoming. The tower light illuminated so I sat waiting for an attendant to hand-pay my winnings (about US$50).
After 20 minutes, nearby patrons told me I would likely be waiting two to three hours as there was only one attendant known to be servicing the entire floor.
Had I won say US$5000 and had a spare two to three hours, I would likely have waited around. In fact someone had won US$2,500, a problematic amount considering tax needs to be withheld on wins of US$1,200 or more and the win reported to the IRS. Another player had won US$600 but had a work commitment which made it impossible for him to wait for such an extended period for his pay-out. Like me, he did not have an MGM Player card, and even if he did, there could be no certainty that it had recorded his play.
Returning to the scene some two hours later after dinner, it appeared that all machines on the floor had been shut down. The machine I had played had been cleared, raising the question as to how I could claim my winnings. I had no evidence that I had won; no screenshot, no player card, and no third party record of it. Unlike the two other winners I mentioned previously, my win was immaterial, but it did set me thinking … where was the Gaming Control Board (GCB) while this was going on?
Later that evening I sent an email to GCB asking why MGM had continued to operate its slot machines. By the time I played the machine in question, MGM must have known that the TITO system was not functioning, either reliably or, more likely, at all. I put the following to the GCB:
“If MGM Resorts knew, or should have known that its machines could not issue tickets for winnings, why was it allowed to continue to operate its gaming machines? To me, it is an egregious violation of the rules and /or spirit of game fairness… Where was GCB in all of this?”
The next day, I received a response to the effect that the attack on MGM Resorts was unprecedented, and that the GCB was working with the company to remedy the situation.
With respect to the GCB, cyberattacks are hardly “unprecedented”; in fact, they are a pervasive business risk, the likelihood and severity of which many corporates have under-estimated to their great cost, both monetary and reputational. Any risk and Audit Committee of a listed corporation which does not have this risk at or near the top of its list is not doing its job.
I replied to GCB, not wishing to let it off the hook quite so readily when it came to machines that had been cleared with money still owed to players:
“How does MGM propose to track and reimburse them, when there is no record that I am aware of as to who won what? Taking photos is obviously not an option; apart from re-visiting the gaming floor and physically identifying a machine which registered a win, how else does the company propose to identify players owed winnings…through surveillance? To me, the bottom line is that the machines should never have been allowed to operate until the precise nature of the risk and its impact had been determined. It is interesting that many of the machines on the floor were turned off later the same evening. Rather too late for many.”
I received no response. Perhaps that is understandable; the State of Nevada collects tax on the gross gaming revenue of its licensees, and even at 6.75% that gives it a real interest in seeing GGR maximised. According to the Nevada Department of Taxation, MGM Resorts is by a considerable margin the largest taxpayer in Nevada.
Most players are likely vacationers or convention delegates from out of State or country, so why should GCB concern itself and deploy resources to monitor and direct how those people are identified and compensated?
The obvious rejoinder is, because that is its role! It should be protecting players, given that is an essential underpinning of the Nevada gaming law. I attribute no malice to anyone involved, just complacency and under-preparedness.