According to a report by TechCrunch, MGM Resorts International, the well-renowned hotel and casino behemoth, confirmed on Thursday that a substantial cyberattack in September resulted in unauthorized access to some customers' personal data. The disclosure, which first came to light on September 11, revealed significant operational disruptions. This cyber onslaught, which was later attributed to the ALPHV subgroup Scattered Spider, not only wreaked havoc on MGM’s on-site ATMs and slot machines but also rendered the company’s website and online booking system inoperative.
Details of the Breach
According to official filings, the malefactors succeeded in extracting a range of personal details from customers who had engagements with MGM Resorts before March 2019. This exposed data encapsulated names, contact particulars, gender classifications, birth dates, and even driver's license numbers. Alarmingly, in some instances, more sensitive details like Social Security numbers and passport specifics were also accessed.
While MGM Resorts has remained tight-lipped about the exact number of affected customers, one must remember that their properties welcome tens of millions of patrons annually. Despite multiple inquiries from media outlets like TechCrunch, MGM representatives, including Andrew Chapman and Brian Ahern, have maintained a consistent silence regarding the data breach's finer details.
However, the silver lining is that the company firmly believes that the cybercriminals did not acquire any payment information or passwords during their digital foray.
Financial Impact & Ransom Details
MGM Resorts anticipates a dent in its third-quarter profits, approximating the loss to be around $100 million due to this cyber intrusion. Preliminary response costs have already incurred around $10 million, channeled toward technology consulting, legal advisories, and other associated post-breach activities.
A noteworthy element of this incident is MGM's purported refusal to comply with the hackers' ransom demands, the sum of which remains undisclosed. This stance contrasts with that of their competitor, Caesars Entertainment, which reportedly conceded to half of a $30 million ransom to thwart the publication of its purloined data after a similar attack.
Interestingly, while some media channels pointed fingers at the Scattered Spider group for the Caesars' cyberattack, the group distanced itself, asserting it had no ties with that specific breach.
Future Outlook and Customer Concerns
MGM Resorts remains optimistic about its cyber insurance policy covering the incurred financial damages. However, they did mention that the full extent of costs and subsequent impacts remains undetermined.
In a reassuring note to its vast customer base, the company announced that there's no concrete evidence indicating misuse of the acquired data for illicit activities like identity theft or account fraud. Even the dark web listings by the ALPHV ransomware gang haven't showcased any data associated with MGM Resorts since September 14.
Although MGM has proclaimed the cyberattack as "fully contained" with operations reverting to normalcy, certain customer services, including the MGM mobile app, remain dysfunctional. In response to the ongoing inconvenience, the company assures that a holistic restoration of all affected services is underway and will be achieved in the ensuing days.