MGM faces £100m loss from cyber attack on its casinos

US leisure and hospitality giant MGM Resorts has confirmed that hackers stole the personal information of an unspecified number of its customer’s following an early September cyber attack that is expected to cost the company $100m.

The 11 September cyber attack – perpetrated by the UNC3944 threat group, otherwise known as Scattered Spider, likely as an affiliate of the ALPHV/BlackCat ransomware-as-a-service operation  – led to a 36-hour outage of multiple MGM IT systems and affected a number of its casinos on the Las Vegas strip, including the Bellagio, Excalibur, Luxor, Mandalay Bay and New York New York.

In an update on the incident, MGM said that by 29 September it had determined that hackers stole a range of personal information about its customers, including various contact information, dates of births, genders, and driver’s licence numbers.

MGM added while a “limited number of customers” social security and passport numbers were also affected, it does not believe  passwords, bank account numbers, or payment card information was compromised.

“Promptly after learning of this issue, MGM Resorts took steps to protect its systems and data, including shutting down certain systems. The Company also quickly launched an investigation with the assistance of leading cybersecurity experts and is coordinating with law enforcement,” it said.

“MGM Resorts is notifying relevant customers by email as required by applicable law and has arranged to provide those customers with credit monitoring and identity protection services at no cost to them.”

In a regulatory filing to the US Securities and Exchange Commission submitted 5 October, MGM said it expects the financial impact of the attack to be roughly $100m.

“The Company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors,” it said.

“Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined.”

MGM added is has seen “no evidence” yet that the customer data obtained by the hackers has been used for identity theft or account fraud, and that “virtually all of the Company’s guest-facing systems have been restored”.

According to a report in the Wall Street Journal, while the attackers demanded an undisclosed ransom, MGM did not pay.

In mid-September, David Bradbury, chief information security officer (CISO) at identity and access management (IAM) specialist Okta confirmed that the attack on MGM – as well as Caesars Entertainment, another Las Vegas casino operator – appeared to exploit the firms technology as an access vector.

This followed a warning from Okta two weeks prior that a new wave of social engineering attacks was targeting its customers.

Speaking with Reuters at the time, Bradbury said he had seen “a ramp up” in social engineering attacks against Okta customers in the past year, and spoke of a consistent pattern of social engineering attacks that duped victims’ IT helpdesks into granting them access.