MGM Resorts says cyberattack cost $100 million, resulted in theft of customer info

A recent cyberattack cost MGM Resorts about $100 million, the Las Vegas company said in a regulatory filing on Thursday.

In its filings with the Securities and Exchange Commission (SEC), the company also acknowledged that customer information ranging from Social Security numbers to passport data was stolen during the attack.

The company did not respond to requests for comment about how many people were affected. It filed breach notification documents with regulators in Maine but left the section related to the number of people affected empty.

After discovering the attack on September 11, MGM Resorts shut down all of its systems so that the hackers could not get access to customer information, disrupting several of their properties. They said about $100 million was lost in collective damage.

In addition to its namesake resort, the company owns Mandalay Bay, the Bellagio, The Cosmopolitan and the Aria. For days, everything from slot machines to restaurant management systems and even key cards for rooms were shut off due to the attack.

“Since that time, operations at the Company’s domestic properties have returned to normal and virtually all of the Company’s guest-facing systems have been restored. The Company continues to focus on restoring the remaining impacted guest-facing systems and the Company anticipates that these systems will be restored in the coming days,” it said, expecting the incident to affect its earnings for both the third and fourth fiscal quarters.

“While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September which was 88% (compared to 93% in the prior year period).”

Despite the company’s efforts, the hackers still managed to access customer information, stealing an undisclosed amount of personal data like names, addresses, phone numbers, driver’s license numbers, Social Security numbers, passport numbers and more. The company reiterated that no credit card information was accessed.

Based on their investigation, only one hotel was spared — The Cosmopolitan of Las Vegas. Hackers were allegedly not able to make their way into that hotel’s systems, according to the filing.

MGM Resorts said it expects 93% occupancy in October and to be fully restored in Las Vegas by November. In addition to the $100 million in losses, they spent “less than $10 million” on consulting services, legal fees and other expenses related to the cyberattack.

The figures disclosed in the filing are not final, with MGM Resorts noting that it is still determining the full scope of costs and related impacts.

They are setting up phone numbers and websites to provide victims with more information, And they plan to email those affected and provide identity protection services.

Despite the company’s claims that it has recovered from the incident, several local news outlets continue to report widespread issues with hotel systems.

The attack was first claimed by hackers connected to a group called Scattered Spider, who then partnered with Russian ransomware gang Black Cat/AlphV.

Scattered Spider has been behind some of the biggest hacks in the last year, including incidents involving Reddit, Riot Games, Coinbase and another casino giant — Caesars Entertainment.

This week, Bloomberg reported that the group was behind a damaging attack on manufacturing giant Clorox, which like MGM Resorts told the SEC of severe financial repercussions resulting from the incident.

Increasingly, the operational damage from ransomware attacks has forced companies to report incidents ahead of quarterly earnings.

In August, marine manufacturing firm Brunswick Corporation said a ransomware attack on their systems would cost it “as much as $85 million,” while the Canadian bookseller Indigo said it expects to lose more than $50 million following a ransomware attack that limited operations for weeks.

In February, Applied Materials – which provides technology for the semiconductor industry – said during an earnings call that a ransomware attack on one of its suppliers would cost it $250 million in the next quarter. Sun Pharmaceuticals – the fourth-largest specialty generic pharmaceutical company in the world – warned in March that its earnings would be affected by a ransomware attack as well.

Scripps Health, a California-based nonprofit healthcare provider that runs five hospitals and 19 outpatient facilities, said it expected to lose an estimated $106.8 million following a ransomware attack that hit the organization in May 2021.