MGM Resorts loses over $100M after refusing to pay ransom to end cyberattack
The 10-day cyberattack that crippled MGM Resorts’ operations is reportedly set to cost the hospitality behemoth more than $100 million, according to a regulatory filing Thursday.
Despite the hefty financial losses that resulted from the breach — where MGM’s 12 casino floors along the Las Vegas strip went dark, hotel reservations were interrupted and workers dished out hundreds worth of free food and beverage vouchers — MGM refused to pay hackers’ ransom demands, people familiar with the matter told The Wall Street Journal.
The hackers were able to obtain names, phone numbers, addresses, dates of birth and driver’s license numbers of customers who did business with MGM before March 2019, according to a letter sent to customers by CEO Bill Hornbuckle on Thursday.
Hornbuckle added that some guests’ social security and passport numbers were also compromised.
He also assured MGM customers that the hackers did not steal any bank account or credit card numbers because of how quickly the company reacted to the breach, though it’s unclear when MGM first moved to protect its systems, or how the hackers invaded its systems.
“We regret this outcome and sincerely apologize to those impacted. Your trust is paramount to us,” Hornbuckle penned.
MGM’s decision not to pay ransom to end the cyberattack was guided by the Federal Bureau of Investigation, which doesn’t support coughing up requested payments from hackers, insiders told The Journal.
The FBI’s website warns that agreeing to pay ransom still doesn’t guarantee that a company will recover all of its data, and even encourages hackers to target other deep-pocketed companies.
Still, Caesars Entertainment reportedly paid roughly $15 million in an attempt to placate hackers responsible for its own systems breach last month when they threatened to leak sensitive customer data.
The Las Vegas casino giant’s payout was approximately half of the $30 million that the hackers had demanded, the Wall Street Journal reported.
Caesars did not identify the culprits behind the cyberattack, and has said that its operations weren’t impacted.
However, digital security watchdogs have since identified hackers known in the industry as Scattered Spider, Muddled Libra and UNC3944 as the culprits behind the Caesars and MGM cyberattacks.
MGM, meanwhile, experienced a tidal wave of service interruptions that are set to have a nine-figure financial impact on adjusted property earnings before interest, taxes, depreciation, amortization and rent for its resorts across the nation — 12 of which are on the Las Vegas Strip alone.
Aside from slot machines going dark, MGM-operated hotels were also reportedly experiencing elevator outages, some guests’ hotel room keys stopped working, hotel phones were out of order and MGM’s company website crashed.
The cost of remedial technology consulting, legal and advisory services was less than $10 million, Thursday’s filing showed.
Aside from financial losses, occupancy rates took a hit at MGM in September, down 88% last month as the hospitality behemoth reeled from the cyberattack, and down 93% from last September.
MGM reportedly has enough cybersecurity insurance to cover the financial losses, and told The Journal that the overall impact of the snafu wouldn’t hurt MGM’s full-year performance too much.
Representatives for MGM did not immediately respond to The Post’s request for comment.
