MGM Resorts has confirmed hackers stole an unspecified amount of customers’ personal information during a September cyberattack that will cost the hotel and casino giant an estimated $100 million.
The hotel and casino giant first disclosed it had been targeted by a large-scale cyberattack on September 11. The cyberattack, which was days later claimed by hackers from ALPHV subgroup Scattered Spider, caused widespread disruption across MGM’s properties, shutting down ATMs and slot machines and pulling the company’s website and online booking systems offline.
In a regulatory filing on Thursday, the company admitted that the hackers responsible for the attack obtained some personal information belonging to customers who transacted with MGM Resorts prior to March 2019. This includes names, contact information, gender, dates of birth and driver license number. For a limited number of customers, hackers also accessed Social Security numbers and passport details, the company said.
It’s not yet known how many individuals have been affected by the data breach, but MGM’s resorts attract tens of millions of visitors each year. MGM spokespeople Andrew Chapman and Brian Ahern have repeatedly declined to answer TechCrunch’s questions about the incident.
In its filing, MGM added that it does not believe that customer passwords or payment details were obtained during the attack.
MGM’s filing with regulators reveals that the company expects the attack to reduce its third-quarter profit by approximately $100 million. MGM said it has also spent around $10 million in one-time expenses related to the cyberattack, mostly on technology consulting services, legal fees and expenses of other third-party advisors.
According to The Wall Street Journal, MGM Resorts reportedly did not pay the attackers’ ransom demand, the amount of which is not yet known. When asked by TechCrunch, a representative for the Scattered Spider group did not comment. MGM’s rival Caesars Entertainment, which was also hit by a recent ransomware attack, is said to have paid about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data. Media reports said the Scattered Spider group was also responsible for the Caesars cyberattack, but the group told TechCrunch at the time it had “no involvement” with the incident.
MGM said it expects that its cyber insurance policy will be “sufficient” to cover the financial impact to its business, but noted that “the full scope of the costs and related impacts of this issue has not been determined.”
The company added that it has seen “no evidence” that the data obtained by the criminal actors has been used for identity theft or account fraud.
The listing for MGM Resorts found on the dark web leak site of the ALPHV ransomware gang has not been updated since September 14, and it doesn’t appear that the hackers have yet published any of the data stolen from the hotel giant.
While MGM claims that the cyberattack has been “fully contained” and that operations at the company’s resorts have “returned to normal,” some of the MGM’s services were still not operational at the time of writing, according to customer complaints on social media, including MGM’s mobile app.
“The company continues to focus on restoring the remaining impacted guest-facing systems and the Company anticipates that these systems will be restored in the coming days,” MGM said.