MGM expects recent cyberattack cost to exceed $100 million

MGM Resorts estimates $100M loss due to cyber attack

MGM Resorts anticipates the cyberattack last month will cost them $100 million. Detected on September 10, the breach prompted MGM to halt computer systems at its U.S. properties temporarily.

During the attack, customers faced issues related to reservations, credit card transactions, cash machines and hotel room access. The attack finally concluded ten days later, on September 20, 2023.

In a letter to customers sent on Thursday, MGM CEO Bill Hornbuckle addressed the recent attack and provided updated information. The incident exhibited characteristics consistent with an extortionary ransomware attack, though MGM has not officially confirmed this.

“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” Hornbuckle said. “We also believe that this attack is contained.”

Brett Callow, from the cybersecurity firm Emsisoft, suggested that if it was a ransomware attack, it could become the most expensive one on record. Notably, in 2019, Norwegian aluminum manufacturer Norsk Hydro incurred $70 million in losses for refusing to pay ransomware criminals.

Additional $10M for one-time items

Hornbuckle assured that the incident did not compromise customer bank account numbers or payment card information. However, hackers did steal other personal details such as names, contact info, driver’s license numbers, Social Security numbers, and passport numbers of customers who did business with MGM before March 2019.

MGM has found no evidence of the hackers using this data for account fraud or identity theft. The company plans to contact affected consumers via email, offering free identity protection and credit monitoring services.

“We regret this outcome and sincerely apologize to those impacted,” Hornbuckle said.

In addition to the expected $100 million loss in adjusted property earnings, MGM foresees expenses of less than $10 million for one-time items, like legal fees and technology consulting.

MGM was not the only business facing hackers last month. Caesars Entertainment also reported a cyberattack on September 7. Despite this, the Reno-based company experienced no disruptions to its casino and online operations.

Caesars reportedly paid $15 million of a $30 million ransom requested by a group known as Scattered Spider in exchange for data security. In contrast, MGM declined to pay the hackers’ ransom demand in September.