Casino giant MGM Resorts International (NYSE:MGM) is currently facing a significant cybersecurity event that first came to light on Sunday, 10 September, 2023. The incident has affected the company's hotel booking and restaurant reservation systems, digital keys, and corporate applications, including its website. Despite the operational disruption, MGM has confirmed that all casino floors were functional as of Tuesday, 12 September.
On the same day, MGM issued a press release and filed an 8-K report with the Securities and Exchange Commission (SEC), indicating that the cyberattack posed a material risk to the company. The 8-K filing is a notification of an event that might have a significant financial impact on a publicly traded company.
The FBI has launched an investigation into the incident, which remains unresolved. Rumors suggest that a ransomware group using social engineering may be responsible for the incident. However, neither the FBI nor MGM has confirmed this.
In response to the attack, MGM has initiated several measures to protect its systems and data, including shutting down certain systems. The company stated: "We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly." Despite these efforts, MGM's main website remained down as of Thursday.
The incident has raised concerns among stakeholders and credit rating agency Moody's (NYSE:MCO) Investors Service warned that the attack could hurt the company’s credit rating. The agency pointed out that this incident highlights key risks associated with MGM’s heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable.
This is not MGM's first encounter with a public cybersecurity breach. Three years ago, personal information of 10 million customers was stolen and published on a hacking forum. The current situation unfolds at a time when ransomware attacks are becoming more frequent and more costly for targeted companies. Research from security vendor ZScaler indicates that ransomware-related attacks have risen 37% this year versus the previous year, with the average payment now more than $100,000.
MGM's rival, Caesars (NASDAQ:CZR) Entertainment Inc., also disclosed on Thursday that it had recently identified "suspicious activity" in its information-technology network resulting from a "social engineering attack" on an outsourced IT support vendor. The company confirmed that the cyberattacker acquired a copy of its loyalty-program database, which includes driver’s license numbers or Social Security numbers for a significant number of members.
These incidents come as the SEC is preparing to enforce new disclosure rules from December, requiring more transparency in the event of cybersecurity breaches. The Nevada Gaming Commission already mandates casinos to disclose cyberattacks within 72 hours and to take measures to protect their systems, including annual reviews of their overall cybersecurity.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.