MGM Resorts to Lose $100 Million After Refusing to Pay Cyberattack Ransom

MGM Resorts announced today that it suffered a severe cyberattack in September that it expects to cost the company $100 million.

MGM Resorts, a monolith in the hotel and casino industry, reportedly refused to pay a ransom demanded by the hackers and suffered dearly for it. It caused widespread service disruptions in its various Las Vegas resorts and casinos as well as causing technical problems across all of its properties nationwide.

These problems, along with the efforts MGM Resorts took to resolve the attack, are expected to cost a total of $100 million according to a recent regulatory filing from the company.

MGM Resorts Cyberattack Explained Step-By-Step

The cyberattack was first discovered on September 10th and MGM Resorts management immediately shut down its IT systems in response. Some of its tech was able to avoid any serious problems but the cyber attack affected a ton of important systems.

Slot machines, sports betting kiosks, digital keycards, rewards cards, and even the hotel booking system went down. Employees at MGM Resorts hotels across the country had to sign guests in with pen and paper for days.

The hackers asked for a ransom but were refused by management. This isn’t all too surprising as it is in line with the Federal Bureau of Investigation’s (FBI) guidance to not pay ransoms. This is because once a ransom is paid there is no guarantee that the hackers will actually return the data. Paying them also gives them and other hackers greater incentives to try to hack other companies or individuals.

However, companies sometimes end up paying the hackers anyway. In fact, one of MGM Resorts’ main rivals, Caesars Entertainment, was hit with a painful attack earlier this year and paid out half of a $30 million ransom.

MGM Resorts lost $100 million from the cost of resolving the attack as well as the service disruptions and loss of business. Despite this, the company won’t take much of a hit because it had a massive cyberattack insurance policy that it says covers the entire $100 million.

MGM Resorts Customers Are the Real Victims

While MGM Resorts may not suffer much in the end from this crisis, many of its customers likely will. The hacker was also able to steal an unconfirmed amount of information about customers who did business with the company before March 2019.

The hackers retrieved their names, phone numbers, addresses, birth dates, and driver’s license numbers. Even worse, some customers had their social security numbers and passport numbers stolen and now have to worry about their identity being stolen.

Luckily, no bank account numbers or payment card information was compromised by the attack.

Only MGM Resorts and the hacker knows how many individuals were affected by the data breach but it is surely a large number. The company easily brings in 10s of millions of customers every single year.

Chief Executive Bill Hornbuckle apologized to the affected customers, saying: “We regret this outcome and sincerely apologize to those impacted.” The company also made sure to note that it will be contacting all affected customers.