MGM Resorts Hit With Suspected Cyberattack

On Monday, MGM Resorts International reported a “cybersecurity issue” that took the company’s website and some onsite guest services offline and downing several gambling machines, impacting MGM-branded hotels in Las Vegas and other locations nationwide. MGM’s multiple websites for its properties have been offline since the suspected cyberattack.

“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts,” according to a statement posted by the company on X (formerly Twitter). “We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”

Ransomware Event Suspected

VX-Underground, a malware research group that boasts “the largest collection of malware source code, samples, and papers on the internet,” posted on X Tuesday, crediting the cyberattack to ALPHV, also known as BlackCat. “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the group said, adding, “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

The F.B.I. is reportedly investigating the incident that began Sunday night and affected resorts in Las Vegas and other states, including Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York, and Ohio. The F.B.I.’s involvement has caused speculation that a ransom may have been paid to those responsible for the cyberattack. In 2022, the Cybersecurity and Infrastructure Security Agency issued an alert regarding ALPHV and the use of ransomware based on a F.B.I. flash report outlining the group’s attack on roughly 60 entities worldwide.

“This has all the hallmarks of a ransomware event,” said David Kennedy, founder of TrustedSec, in an interview with MSNBC. “The weekend is usually when ransomware attacks kick off because most of the IT and security folks are at home, and it causes pandemonium and mayhem,” he said. “They’re not just shutting down systems, but they steal data,” adding that this includes credit card information and social security numbers, and other personal information. Kennedy also noted that while gaming casinos such as the MGM Grand have very high standards for physical security, many aspects of their cyber security are lacking in many crucial areas, making them more vulnerable to such attacks. 

A Financial Ripple Effect

On Tuesday, MGM Resorts International filed a Form 8-K with the U.S. Security Exchange Commission (SEC). As of September 5, the SEC requires all U.S. public companies to notify it of any cybersecurity incidents.

However, the suspected cyberattack may have far-reaching and material implications for the company as stock value has steadily declined since the incident was first reported on Monday. MGM stock (NYSE: MGM) value fell roughly 4% from $44 a share to just over $41, highlighting the credit rating agency Moody’s adding MGM Hotels International to a negative watch following the incident. Capital One Financial, Equifax, and Sony, among others, all of which experienced a decline in stock value following the disclosure of similar incidents.

According to a Bloomberg report, Caesars Entertainment paid tens of millions of dollars to hackers who threatened to release sensitive company information following a data breach caused by a cyberattack in late August.

Coincidentally, the issue occurred at the same time as the IBM TechXchange Conference 2023, which is taking place Sept. 11-14 at the MGM Grand in Las Vegas. A key component of the conference is showcasing IBM’s various products to defend against cybersecurity issues such as data breaches. “Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years,” according to the report, “What’s new in the 2023 Cost of a Data Breach report?” published by IBM in July, highlighting the realities of such incidents.

Keeping Attendee Data Protected 

Monday’s suspected cyberattack was not the first incident of that nature the company has experienced. In 2019, a data breach compromised the personal data of 10.6 million guests.

The liability for failing to protect guest and attendee data increasingly falls to event organizers, particularly when attendees must upload sensitive information to online platforms. The European Union’s General Data Protection Regulation (GDPR) dictates that event organizers are liable for irresponsible data collection and tracking that can expose attendees to potential threats. 

In May, the first major fine was levied against the GSM Association, organizers of the MWC Barcelona show, regarding the 2021 edition. The Spanish data protection authority fined the non-profit $219,000 (€200,000) following a complaint from a data privacy expert speaking at the event.