MGM Resorts International filed a suit against the Federal Trade Commission in order to prevent the FTC from investigating the MGM Cyber Attack.
MGM has filed a lawsuit in Washington federal court yesterday, 15 April against the FTC as well as Lina M Khan the FTC Chair.
This suit is a response to a large-scale cyberattack launched in September of last year against MGM. MGM had to close down some systems in its US-based properties as a result of the cyber attack. The attack affected access to MGM’s hotel rooms and slots machines.
The hacker group Scattered Spider took responsibility for the attacks days after they occurred. The group said it would continue to attack MGM’s network if MGM failed to pay the demands.
What was the reason for filing suit?
MGM seeks “injunctive relief and declaratory remedies” from the FTC. MGM claims that the FTC’s actions and those of Khan violated the Fifth Amendment due process clause.
The clause states that all bodies which are subject to the government’s action will be heard by an impartial tribunal. This clause also guarantees fair treatment by the law.
According to the suit, media reports stated that Lina “and an anonymous senior adviser” were at MGM Las Vegas at the time the cyberattack occurred. Bloomberg reported that, as the IT system was down, an employee asked Khan to have her staff write their credit card numbers down on paper.
Khan asked the MGM employee what steps MGM had taken to ensure data security following the attacks. According to reports, the employee said that he did not know.
This exchange prompted the FTC to launch an investigation. On 25 January 2024, the FTC sent a Civil Investigation Demand (CID), to get a reply to Khan’s query. The suit states that the CID requests information in more than 100 different categories from the period before the attack.
MGM’s adjusted EBITDAR property for the third-quarter was estimated to be affected by $100m in the following month (PS80.3m/EUR94.1m). In spite of this, the company reported a record Q3 revenue totaling $3.97bn. Bill Hornbuckle, the CEO of MGM who presented its Q3 results said that MGM had “gone to hell and back”.
Caesars Casino was also the victim of a cyber-attack in September. As part of this attack, the operator revealed that its database for loyalty programmes was compromised.
Khan to recuse himself and end the Civil Investigative Demand
MGM filed a request to annul or modify the CID 20 February 2024. Operator claimed the CID was based on “inapplicable rules of financial services”. MGM claims that the CID was sent to verify compliance with the Safeguards Rule and Red Flags Rule. MGM claims that the rules do not apply here.
MGM then filed a motion for Khan to be disqualified or to recuse herself due to “her personal involvement in the investigation subject”. MGM revealed it was a defendant of 15 class action lawsuits filed by consumers. Khan has been named as both a civil plaintiff who could also be a witness and a potential defendant.
On 1 April 2024, the FTC denied both MGM’s motions. MGM claims this deprives them of their rights as per the Fifth Amendment.
The suit states that “it is fundamentally against the Fifth Amendment guarantees of equal protection and due process for the FTC” to subject MGM an investigation on the basis of regulatory provisions which are not applicable on their own.
MGM argues that it shouldn’t be included in this investigation because it’s not a financial institute. MGM noted that in the past, the FTC had not attempted to enforce either the Safeguards or Red Flags rules on an operator of a casino resort like MGM.
