MGM Resorts Reveals Over $100M in Costs After Ransomware Attack

Written by

MGM Resorts International has disclosed that costs resulting from a ransomware attack in September have surpassed $100m, including $10m in one-time consulting clean-up fees. 

In an SEC 8-K filing published last Thursday, the company cited operational disruptions, particularly within its Las Vegas properties, as the primary reason for this significant financial toll.

The swift response to the data extortion attack involved taking systems offline to contain the threat, preventing threat actors from accessing customer bank account numbers or payment card information. The company believes this fast reaction was essential in averting a potentially more catastrophic breach.

“Although the $100m in losses are costly on the surface, MGM’s decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government and law enforcement,” commented Anne Cutler, cybersecurity evangelist at Keeper Security.

“Paying a ransom to cyber-criminals does not guarantee a full return of an organization’s systems and data, and only furthers the ransomware ecosystem.”

The financial impact is expected to mainly affect the third quarter of 2023, particularly in MGM Resorts’ Las Vegas operations, with minimal repercussions during the fourth quarter. Although cybersecurity insurance is anticipated to cover a substantial portion of the financial impact, the total scope of costs and related impacts from this incident is still undetermined.

“It’s important to look at this in the context of their income. MGM is a huge organization that is very profitable. With revenues of $14bn, it’s easy to see why they’ve flagged this as not material,” clarified Andrew Barratt, vice president at Coalfire.

“However, it doesn’t mean they're too big to hack. Quite the opposite. It shows that larger organizations are likely a very profitable target for OCGs with cyber capability.”

In fact, MGM Resorts has identified that personal information, including names, contact details, gender, date of birth and driver’s license numbers, was accessed by the threat actors for specific customers who had transacted with the company before March 2019. Social Security and passport numbers were also obtained for a limited number of customers. 

However, according to the SEC filing, customer passwords, bank account numbers and payment card information are believed to be safe from the breach. The company has set up a dedicated helpline and webpage to address customer inquiries and offer identity protection and credit monitoring services.

Read more about the incident: MGM Resorts Hit By Cyber-Attack, Systems Down

Despite the incident, MGM Resorts said it is continuing to invest in enhancing its cybersecurity measures with the support of industry-leading experts to minimize future risks and safeguard customer data.

Editorial image credit: Petr Podrouzek / Shutterstock.com

What’s hot on Infosecurity Magazine?