Jae C. Hong / AP
The Las Vegas Monorail passes by MGM Grand, April, 27, 2006, in Las Vegas.
Thursday, Oct. 5, 2023 | 5:19 p.m.
MGM Resorts International is apologizing for cybersecurity issues that disabled its systems in September and estimates the losses from the cyberattacks at $100 million, according to a filing with the U.S. Securities and Exchange Commission.
All 28 of MGM’s properties — including those on the Strip — were targeted in the cyberattack that started on Sept. 10.
A statement from MGM in September revealed little about the nature of the attack, but said they had to shut down certain systems in an effort to protect data. This shutdown prevented credit card transactions and crashed the BetMGM sports betting mobile app and company websites. It also impacted digital access to guest rooms and halted some slot machine play.
“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” Bill Hornbuckle, CEO of MGM Resorts International, said in a letter on the company's website addressing customers. “We also believe that this attack is contained.”
Systems slowly started to return to normal at the end of September. The company said on Sept. 20 that its casino and hotel services were “operating normally,” although online room booking at mgmresorts.com remained shuttered.
The company believes they will “have a strong fourth-quarter,” especially with the November Formula One race on the horizon to help them rebound.
MGM said it “incurred less than $10 million in one-time expenses related to the cybersecurity issue, including technology consulting services, legal fees and “expenses of other third-party advisors.”
The full scope of costs and related impacts from the cyberattack has not yet been determined, but the company thinks their cybersecurity insurance will be enough to cover the business’s financial impact, the company said in the SEC filing. But the company reported it “estimates a negative impact from the cyber security issue in September of approximately $100 million.”
It was also revealed by Hornbuckle that a third party accessed personal data from some MGM customers on Sept. 11. Customers who made transactions through MGM before March 2019 had their name, contact information, gender, date of birth and driver’s license number pulled.
MGM does not believe data from The Cosmopolitan was accessed by the attackers.
Hornbuckle said the “types of impacted information varied by individual” and that “a more limited number of Social Security numbers and passport numbers were obtained.” The company has no evidence that the third party has used the data to commit identity theft or account fraud, he noted.
Following the cyberattack, MGM has “built, restored and further strengthened portions of our IT environment.” They are also offering free identity protection and credit monitoring services to people who receive an email from us indicating that their information was released, Hornbuckle said.
The hotels affected include Bellagio, Aria, Vdara at Aria, MGM Grand, the Signature at MGM Grand, Mandalay Bay, Delano Las Vegas, Four Seasons, Park MGM, NoMad Las Vegas, New York-New York, Luxor and Excalibur.
The company has established a toll-free call center that can be reached at 800-621-9437 Monday through Friday from 8 a.m. to 10 p.m. Central time or Saturday and Sunday from 10 a.m. to 7 p.m. Central time.
A webpage also provides information at www.mgmresorts.com/importantinformation
