MGM Resorts Reveals $100 Million Cost of Recent Cyberattack

MGM Resorts, a major hospitality and entertainment company, has disclosed that a recent cyberattack, which occurred in September 2023, cost the company a staggering $100 million. This attack also resulted in the theft of customers' personal information, sparking concerns about data privacy and security.

The cyber incident, initially reported on September 11, 2023, significantly impacted MGM Resorts' main website, online reservation systems, and in-casino services, including slot machines, credit card terminals, and ATMs. This IT system outage disrupted a wide range of the company's operations.

According to a FORM 8-K filing with the SEC, MGM Resorts estimates that the cyberattack had a negative impact of approximately $100 million on Adjusted Property EBITDAR for its Las Vegas Strip Resorts and Regional Operations combined. The impact on occupancy was primarily limited to September, accounting for 88% of the disruption.

In addition to the earnings loss, MGM incurred less than $10 million in one-time expenses related to risk remediation, legal fees, third-party advisory services, and incident response measures. The company expects to be fully covered by its cybersecurity insurance.

MGM Resorts emphasizes that the financial ramifications of the cyber incident will be largely confined to the third quarter of 2023 and anticipates no significant effect on its annual financial performance.

Regarding the breach of customer data, MGM acknowledges that the attackers managed to access the personal information of customers who conducted transactions with the company before March 2019. A separate notification was sent to affected individuals, informing them that the stolen data included:

• Full names
• Phone numbers
• Email addresses
• Postal addresses
• Gender
• Date of birth
• Driver’s license information
• Social Security Numbers (SSNs)
• Passport numbers

Fortunately, MGM's investigation has not uncovered evidence that the incident exposed customer passwords, bank account numbers, or payment card information.

As a response to the data breach, MGM Resorts is providing free credit monitoring and identity protection services to those affected and advises customers to remain vigilant against unsolicited communications. They recommend reviewing account statements and monitoring credit reports for signs of fraud or identity theft.

"We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your free credit reports," warns MGM Resorts. "We also recommend that you remain alert for unsolicited communications involving your personal information."

MGM Resorts believes that the cyber incident has been contained, and all guest-facing systems have been fully restored, with any remaining systems expected to resume normal operations in the coming days. Nevertheless, the incident serves as a reminder of the ongoing and evolving cybersecurity threats faced by organizations in the digital age.