MGM Resorts International estimates that the cyberattack last month will have an impact on adjusted EBITDAR of its properties for the third-quarter by $100.0 million.
On September 11, the operator had to close certain systems due to a cyber security issue. MGM Resorts’ website also went down during this cyberattack.
MGM released an update one week later, saying that it worked to “normalize’ operations at Excalibur Las Vegas.
MGM now says that operational disruptions at the affected properties have had a negative effect on Q3, concluded on 30 September. It says that this will primarily affect the performance of their operations in Las Vegas.
In Q3, the adjusted property EBITDAR of Las Vegas Strip Resorts will suffer a negative impact of $100.0m.
MGM optimistic about Q4 and the full year
MGM says that the impact will be minor in Q4 and it doesn’t expect any material effects on their financial situation or results.
MGM expects to have a record-breaking November thanks in part to the Formula 1 race that will be held for the first ever time next month in Las Vegas.
MGM reports that the occupancy rate in September was 88%. The occupancy rate for September was 88%, down from 93%.
MGM also notes that the company incurred a one-time expense of less than $10m during Q3 in relation to this cyberattack. This included legal fees, technology consulting and other expenses of third-party advisers.
MGM says that the financial effects of this incident are still unknown.
MGM stated that “although the company believes its cyber insurance policy will cover its financial impact as a consequence of operational disruptions and the above-mentioned one-time costs, and any future expenses,” the scope and cost of the issue and its related effects have not yet been fully determined.
According to the investigation that is ongoing, the company has concluded at this point that there are no unauthorized activities by third parties.
MGM promises to support its customers
MGM released a new update that revealed what type of data was taken during the attacks. The information stolen includes names, addresses, dates of birth and gender of customers, as well as their driver’s licence number.
MGM says that for a small number of players the social security numbers and passport numbers were also affected. The types of information affected varied depending on the individual, MGM says.
MGM has stated that they do not think the passwords of players, their bank accounts or card payment information were affected.
MGM immediately took action to secure its data and systems after discovering the cyberattack. This included shutting down some systems. MGM also conducted an investigation, with cybersecurity experts’ assistance. It continues to work with law enforcement on the case.
MGM has begun notifying affected customers. It will also provide them with free credit monitoring services and identity protection.
MGM Resorts said that it takes security and privacy of data and systems very seriously. It has taken additional measures to protect these systems.
Hacker group Scattered spider, which is part of the ransomware collective reportedly responsible for this breach, claims responsibility.
Scattered Spider claimed to have launched ransomware on MGM’s computer systems. Scattered Spider also warned that it would launch more attacks against MGM’s systems if MGM did not pay the ransom demands.
Caesars is also a victim of cyberattack
Caesars Entertainment reported the same issue a few days after MGM had been hit by a cyber-attack. The operator reported that its loyalty program was compromised in a Securities and Exchange Commission filing on September 14.
After an investigation it became clear that attackers had obtained data on customers, including a database of Caesars loyalty program. The database contained the social security and driver’s licence numbers of different loyalty program members.
Caesars said that the attacks on its mobile apps and locations, including Caesars Entertainment, had not affected their customer-facing aspects.
Media sources reported that Caesars had paid ransoms in the tens or hundreds of millions to cyber-attackers. MGM is believed to have paid no ransom following its cyberattack.
FBI: Lazarus Group is responsible for Stake.com Attack
Stake.com, a cryptocurrency sportsbook and online casino that accepts bitcoins, was also hit with unauthorized transfers in September. Stake.com reported issues with Ethereum, Polygon, and Binance Smart Chain. FBI confirms earlier reports stating that $41.0m in cryptocurrency had been affected.
Later, the FBI identified Lazarus Group (a cybercrime group) as being responsible. The FBI confirmed that the attack affected $41,0m in cryptocurrency.
Lazarus Group, also known as APT38 or DPRK, is affiliated with the Democratic People’s Republic of Korea.