MGM Resorts International estimates that the cyberattack last month will have an impact on adjusted EBITDAR of its properties for the third-quarter in excess of $100m (PS82.0m/EUR94.8m).
On 11 September, the operator had to close certain systems due to a cyber security issue. MGM Resorts’ website also went down during this cyber attack.
MGM released an update one week later, saying that it worked to “normalize” the operations of its Excalibur Las Vegas Casino.
MGM now says that operational disruptions at the affected properties have had a negative effect on Q3, concluded 30 September. It says that this will primarily affect the performance of their operations in Las Vegas.
In Q3, the adjusted property EBITDAR of Las Vegas Strip Resorts will suffer a negative impact of $100.0m.
MGM optimistic about Q4 and the full year
MGM says that the impact will be minor in Q4 and it doesn’t expect any material effects on their financial situation or results.
MGM expects to have a record-breaking November thanks in part to the Formula 1 race that will be held for the first ever time next month in Las Vegas.
MGM reports that the occupancy rate in September was 88%. The occupancy rate for September was 88%, down from 93%.
MGM also notes that the company incurred a one-time expense of less than $10m during Q3 in relation to this cyberattack. This included legal fees, technology consulting and other expenses from third parties.
MGM says that the financial effects of this incident are still unknown.
MGM stated that “although the company believes its cyber insurance policy will cover its financial impact as a consequence of operational disruptions and the above-mentioned one-time costs, and any future expenses,” the scope and cost of the issue and its related effects have not yet been fully determined.
The company has concluded that, based on its ongoing investigations, it believes the activity of unauthorised third parties is now contained.
MGM promises to support its customers
MGM released a new update that revealed what type of data was taken during the attacks. The information stolen includes names, addresses, dates of birth, and gender of customers.
MGM says that for a small number of players the social security numbers and passport numbers were also affected. The types of information affected varied depending on the individual, MGM says.
MGM has stated that they do not think the passwords of players, their bank accounts or card payment information were affected.
MGM immediately took action to secure its data and systems after discovering the cyberattack. This included shutting down some systems. MGM also conducted an investigation, with cybersecurity experts’ assistance. It continues to work with law enforcement on the case.
MGM has begun notifying affected customers. It will also provide them with free credit monitoring services and identity protection.
MGM Resorts said that it takes security and privacy of data and systems very seriously. It has taken additional measures to protect these systems.
Hacker group Scattered spider, which is part of the ransomware collective reportedly responsible for this breach, claims responsibility.
Scattered Spider claimed to have launched ransomware on MGM’s computer systems. Scattered Spider also warned that it would launch more attacks against MGM if the company failed to pay.
Caesars is also a victim of cyberattack
Caesars Entertainment reported the same issue a few days after MGM had been hit by a cyberattack. The operator reported that its loyalty program was compromised in a 14-September filing to the Securities and Exchange Commission.
After an investigation it became clear that attackers had obtained data on customers, including a database of Caesars loyalty program. The database contained the social security and driver’s license numbers of different loyalty program members.
Caesars said that the attacks on its mobile apps and locations, including Caesars Entertainment, had not affected their customer-facing aspects.
Media sources reported that Caesars had paid ransoms in the tens or hundreds of millions to cyber-attackers. MGM is believed to have paid no ransom following its cyberattack.
FBI: Lazarus Group is responsible for Stake.com Attack
Stake.com, a cryptocurrency sportsbook and online casino that accepts bitcoins, was also hit with unauthorized transfers in September. Stake.com reported issues with Ethereum, Polygon, and Binance Smart Chain. FBI confirms earlier reports that $41.0m in cryptocurrency were affected.
Later, the FBI identified Lazarus Group (a cybercrime group) as being responsible. The FBI confirmed that the attack affected $41.0m in cryptocurrency.
Lazarus Group, also known as APT38 or DPRK, is associated with the Democratic People’s Republic of Korea.