At this point MGM has mostly restored normal operations after its September ransomware attack, but a new SEC filing indicates the company expects a $100 million negative impact for Q3 due to cleanup costs and lost business.
MGM believes that the impact is mostly limited to the month of September, with the issues beginning on the 10th or 11th of that month. A recent data breach notification sent to customers indicates that “some” had driver’s license numbers and contact information stolen, with a more limited amount having Social Security or passport numbers taken.
Extended recovery from ransomware attack had major impact on September business
MGM’s SEC filing indicates that the company’s losses came more from immediate shutdown of most of its online systems than from direct damage from the ransomware attack. The company was slow to restore guest-facing systems, with some of its floor games and property amenities taking weeks to return to normal, but it claims that this also prevented the hackers from accessing any financial information.
The loss also mostly appears to be due to Vegas hotel bookings, the market that MGM has most of its resources concentrated in. Guests were unable to access the MGM website or mobile app for an extended period after the ransomware attack, forced to either call in reservations by phone during this time or just show up at the front desk. Long lines were also common at properties during this period as the hotels shifted to manual operations. The company says that it was at 88% occupancy during September, down from 93% the prior year. It expects to recover to close to normal numbers in October and be “fully recovered” in this area by November.
MGM says that just $10 million was spent on one-time cybersecurity and cleanup issues such as legal fees and third-party consulting. The company believes that its cybersecurity insurance will cover nearly all of the ransomware attack’s associated costs, but does not have a detailed financial projection available at this time.
The company also told the SEC that the ransomware attack was contained at this time, and provided more details on exactly what personal information was stolen. The contact information and ID numbers are apparently limited to guests that stayed at properties or transacted online prior to March 2019, and that guests of the Cosmopolitan (which MGM purchased in mid-2022) are not impacted.
Questions remain after MGM updates
The September ransomware attack, perpetrated by a criminal group called Scattered Spider, provided an unusual side-by-side comparison of two industry rivals handling the same cyber incident at roughly the same time. Scattered Spider used the same approach to compromise Caesars Entertainment shortly before it hit MGM. The two companies own most of the casino-hotel properties on the Vegas Strip, and Caesars saw an uptick in business from former MGM customers after paying a $15 million ransom to keep its systems online and avoid any business disruptions.
Anne Cutler, Cybersecurity Evangelist at Keeper Security, notes that though Caesars seemed to get the better of this one, paying ransom demands remains a risky option: “Although the $100 million in losses are costly on the surface, MGM’s decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government and law enforcement. Paying a ransom to cybercriminals does not guarantee a full return of an organization’s systems and data, and only furthers the ransomware ecosystem.”
Bud Broomhead, CEO at Viakoo, additionally warns that payments can be a beacon to other cyber criminals: “No company is too big to hack; the key issue is a business too resilient to hack. MGM may have invested heavily in backup and recovery, and may use this attack to learn where their weakness are so next time they will be even more resilient to attack. MGM deserves credit for not paying the ransom; hopefully their example will push more organizations to focus on resiliency and business continuity. It’s never a question of will you be hacked, just when you’ll be hacked and how prepared you are for it.”
MGM has yet to confirm that it was in fact a ransomware attack, though Scattered Spider publicly claimed to have encrypted over a hundred ESXi hypervisors used to run virtual machines. It is also unclear exactly how much coverage MGM has for ransomware, something that even large companies have increasingly had trouble obtaining as the market contracts due to excessive costs.
It is also still not entirely clear where the stolen personal information came from within the company. MGM has yet to confirm, but the Caesars SEC filing reported that the stolen information in that incident came from its “Caesars Rewards” loyalty program. If the data similarly came from the “MGM Rewards” loyalty program, driver’s license or passport numbers may have been recorded during hotel check-ins. It is possible that the Social Security numbers that were taken were collected when certain program members won jackpots that require tax information be recorded, or if they opened up lines of credit with one of MGM’s casinos. Scattered Spider has only said that it exfiltrated a total of six terabytes of data from the two companies combined.
MGM is expecting a quick financial recovery from any shortfall that its insurance policy may leave, with Formula 1 racing making its debut in the city on November 16-18. Crews have already spent months preparing a stretch of road near the Strip for the first Las Vegas GP, which is expected to pack out hotels for several days with guests paying rates that are far above normal. That windfall does not appear to be going to any potential victims of the information exfiltrated during the ransomware attack, as thus far MGM is only making the standard offer of a free period of credit monitoring.