After filing a suit, the US Federal Trade Commission has stepped up its legal fight with MGM Resorts International. The FTC wants the gaming group to cooperate in the investigation of a cyber attack that occurred 2023.
In a petition filed in US District Court, Nevada, the FTC seeks an order requiring MGM Resorts’ response to the investigation it conducted into the breach that occurred at its Las Vegas Strip properties in September 2023.
This move was made just a few weeks after MGM filed a suit in the Federal Court of Washington DC. The group claimed in April that it did not need to comply with FTC Civil Investigation Demand CID because it was not a financial institute.
Casino company asked FTC Chair Lina Khan not to take part in the case as she was present when cyber-attacks took place on Las Vegas.
FTC denies MGM’s claims
The FTC argues in its latest Nevada filing that MGM Resorts falls under its jurisdiction as an institution which extends credit to customers. The FTC called MGM Resorts’ argument “meritless”.
MGM could argue…that it’s not a type of entity that is subject to Safeguards Rule or Red Flags Rule, (respectively referred to as a “financial institutions” or “creditor”) so the CID would be improper. This argument has no merit. The argument is without merit.
MGM has 10 days from the date of the CID to provide the requested information if the FTC wins the case.
This legal dispute relates to a large-scale cyberattack that was launched in September of last year against MGM. MGM had to close down some systems in its US-based properties as a result of the cyberattack. The attack affected access to MGM’s hotel rooms and slots machines.
The hacker group Scattered Spider took responsibility for the attacks days after they occurred. The group said it would continue to attack MGM’s network if MGM failed to pay the demands.
What was the MGM lawsuit about?
In the April lawsuit, MGM sought “injunctive relief and declaratory remedies” against FTC. MGM claims that the FTC’s actions and those of Khan violated the Fifth Amendment due process clause.
The clause states that all bodies which are subject to the government’s action will be heard by an impartial tribunal. This clause also guarantees fair treatment by the law.
According to the suit, media reports stated that Khan and “an unnamed senior adviser” were at MGM Las Vegas’s property at the time the cyberattack occurred.
Bloomberg reported that the IT system was down and a staff member asked Khan to have her employees write their credit card numbers on paper.
Khan asked the MGM employee what steps MGM had taken to ensure data security following the attacks. According to reports, the employee said that he did not know.
This exchange prompted the FTC to launch an investigation. On 25 January 2024, the FTC sent a Civil Investigation Demand (CID), to get a reply to Khan’s query. The suit states that the CID requests information in more than 100 different categories from the period before the attack.
MGM’s adjusted EBITDAR property for the third-quarter was estimated to be affected by $100m in the following month (PS80.3m/EUR94.1m). In spite of this, the company reported a record Q3 revenue totaling $3.97bn. Bill Hornbuckle, the CEO of MGM who presented its Q3 results said that MGM had “gone to hell and back”.
Caesars describes cyberattacks as “new norm”
Caesars Casino was also the victim of a cyberattack back in September. As part of this attack, the operator revealed that its database for loyalty programmes was compromised.
Nicole Solaita (SVP, chief audit executive, Caesars) told KPMG’s webinar earlier this week that cyber-threats in the gaming sector are “now our new normal”.
Solaita, reflecting on the cyber attack that had a huge impact on Caesars in September last year, told her audience: “Unfortunately, I have realised this will be the new normal for corporates.”
Training and education are essential in this area. “Despite all the training and preparation, some cyber-attacks aren’t that sophisticated,” said she.
