Gaming giant MGM Resorts has admitted the cyberattack that crippled its casinos in Las Vegas and beyond last month likely cost some $100 million in lost profits.
The company made the disclosure in a regulatory filing on Thursday evening, nearly a month after hackers caused massive disruptions that froze online booking systems, knocked slot machines offline, and even disabled digital locks on hotel room doors.
MGM said it also expects to incur $10 million in one-time expenses related to the attack, consisting of fees to legal and tech advisors who helped respond to the breach.
However, MGM refused to pay the ransom demanded by hackers to end the cyber assault and restore operations to normal, a person familiar with the matter told the Wall Street Journal.
That’s in contrast to Caesars Entertainment, which suffered no public disruptions after reportedly paying about $15 million to hackers in a breach last month, believed to have been carried out by the same Russia-linked ransomware gang that struck MGM.
An error message is displayed on a machine at MGM Grand in Las Vegas on September 12 after a cybersecurity attack hit the gaming giant, affecting reservations and casino floors
MGM CEO Bill Hornbuckle also issued a statement on Thursday confirming that personal information from some customers prior to March 2019 was compromised
It would mean that MGM’s refusal to pay ransom ended up costing the company more than seven times more than the hit Caesars took in making the alleged payoff.
The FBI strongly advises against paying ransoms to hackers, warning that bowing to the demands only encourages further attacks. Still, many companies quietly meet ransom demands to avoid business disruptions and negative headlines.
MGM has previously declined to comment on whether it was asked for or paid any ransom. A spokesperson did not immediately respond to a request for comment from DailyMail.com on Thursday night.
MGM CEO Bill Hornbuckle also issued a statement on Thursday confirming that the hackers did not obtain customer banking information, but that personal information from some customers was compromised.
‘We do understand that the criminal actors obtained certain personal information belonging to some customers who transacted with us prior to March 2019,’ said Hornbuckle.
‘This includes name, contact information, gender, date of birth, and driver’s license number. The types of impacted information varied by individual,’ he added.
‘We also believe a more limited number of Social Security numbers and passport numbers were obtained. We have no evidence that the criminal actors have used this data to commit identity theft or account fraud.’
Hotel guests wait in line as they check in at Luxor hotel and casino in Las Vegas on September 14 after MGM Resorts International suffered a cybersecurity attack
An error message is displayed on a kiosk at Aria Resort and Casino on September 11 after MGM Resorts International suffered a cybersecurity attack
A sign warns guests of difficulties with gambling machines following a hack targeting MGM Resorts International, at Luxor hotel-casino on September 13
Guests wait to check in at the Bellagio on September 15 in Las Vegas. The breach disrupted reservation systems and caused aggravations and delays for guests
The hackers who targeted MGM are believed to be ransomware hackers, who are primarily motivated by extracting ransom payments from the victim company.
However, such groups may also attempt to turn a profit by selling stolen personal information, or punish the corporate victim by publishing the data in public forums.
A Russia-linked ransomware gang named AlphV, known as BlackCat, previously claimed it was involved in the MGM breach.
Cybersecurity experts believe AlphV worked with an affiliated hacker group called Scattered Spider, which is primarily composed of young adults and teens in the UK and US, to perpetuate both the Caesars and MGM breaches.
Analysts who track Scattered Spider say more and more organizations have been falling for the group’s skilled social engineering schemes, which often involve phone calls to IT support desks posing as a company employee.
After the attack last month, videos posted from MGM properties on the Las Vegas Strip, including ARIA and Bellagio, iconwin showed painfully long check-in lines, and some slot machines that were knocked offline.
Functioning slot machines were cash-only and set to handpay, meaning winnings had to be doled out by human staffers, and MGM handed out dining credits and free alcohol to appease irate guests.
‘The full scope of the costs and related impacts of this issue has not been determined,’ MGM said in a regulatory filing.
The flagship MGM Grand is seen on the Las Vegas strip in a file photo. MGM Resorts has admitted that the cyberattack that crippled its casinos likely cost $100 million in lost profits
The company expects the breach will have a negative impact of about $100 million to its adjusted property core profit for its Las Vegas Strip division, and expects total occupancy of 93 percent in October versus 94 percent in the same month a year ago.
‘Virtually all of the Company’s guest-facing systems have been restored,’ it said, adding that it expects no impact on its full-year results from the breach.
MGM said it is ‘well-positioned’ to have a strong fourth quarter with record results in November, driven mainly by a Formula One racing event slated to take place in Las Vegas.
The company noted no data from its luxury resort hotel The Cosmopolitan of Las Vegas was breached.
The FBI previously told DailyMail.com that it is investigating the incidents at both Caesars and MGM, adding: ‘As this is an ongoing investigation, we are not able to provide any additional detail.’