MGM Resorts refused to pay a ransom to the group that hacked its systems last month which shut down its online hotel booking system, locked guests out of their hotel rooms by de-activating their key cards, and disrupted the technology in its slot machines. MGM reported that it resumed full operations on Thursday, but the cyberattack has cost the company $100 million in lost revenue.
The company attributed the financial loss to the cyberattack in its third quarterly filing, saying it impacted hotel occupancy because bookings are largely handled through its website and mobile applications. The report said its financial loss this quarter was mostly contained to September, adding that occupancy was down by 88% in September compared to the same time in 2022. The company said it had expensed less than $10 million related to cybersecurity, including technology consulting services, legal fees, and expenses.
Speaking on the cyberattack, cybersecurity expert, Casey Ellis, told NBC News affiliate, News3 Las Vegas: “It’s a lot of money. But it’s one of the reasons why, you know, ransomware operators and cyber criminals do their thing.” Ellis continued: “The fact that MGM was even able to recover from this in the first place is kind of a testimony that they weren’t sufficiently coerced to the point where they just paid the ransom. And they got it done with getting it done that way, which suggests that they’ve been quite proactive about trying to prevent stuff like this.”
The attack was detected on Sept. 11, affecting seven MGM locations across the U.S. including Maryland, New Jersey, New York, and others. MGM claimed in an open letter to patrons that its quick response protected current customers’ accounts and data, but that some customers who had visited their resorts or casinos prior to March 2019 had been affected.
“The types of impacted information varied by individual. We also believe a more limited number of Social Security numbers and passport numbers were obtained,” MGM said in the letter. “We have no evidence that the criminal actors have used this data to commit identity theft or account fraud,” it added.
In the regulatory Q3 filing, MGM confirmed the hackers had gained access to other personal information including the names, contact details, genders, dates of birth, and driver’s license numbers of customers who transacted with MGM Resorts prior to March 2019.
MGM has not confirmed how much money the hackers demanded in ransom or how its IT systems were hacked. The company instead said it expects its cyber insurance policy will be “sufficient to cover the financial impact to its business as a result of the operational disruptions” and the “one-time expenses” it incurred. It added that “the full scope of the costs and related impacts of this issue has not been determined.”