Ransomware Attack Costs MGM Resorts More than $100 Million

Last month’s massive ransomware attack on MGM Resorts is costing the entertainment giant over $100 million, including $10 million in one-time consulting cleanup fees.

That’s according to MGM Resorts’ filing with the U.S. Securities and Exchange Commission (SEC). Ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat, claimed responsibility for the massive MGM Resorts breach in a post on the dark web, according to Check Point Research (CPR). The attack impacted operations at numerous hotels and casinos on the Las Vegas strip, including the MGM Grand, Bellagio, Aria, Mandalay Bay and more.

“The company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter,” MGM Resorts said. “The company does not expect that it will have a material effect on its financial condition and results of operations for the year. ”

MGM Resorts Doesn’t Yet Know Full Cost of Attacks

Although MGM Resorts believes its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, it hasn’t determined the full scope of the costs and related impacts of the attack.

“Based on the ongoing investigation, the company believes that the unauthorized third-party activity is contained at this time,” it said. “The company has determined, however, that the criminal actors obtained, for some of the company’s customers that transacted with the company prior to March 2019, personal information — including name, contact information such as phone number, email address and postal address, gender, date of birth and driver’s license numbers. For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. The types of impacted information varied by individual. At this time, the company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors.”

In addition, MGM Resorts doesn’t believe that the criminal actors accessed The Cosmopolitan of Las Vegas’ systems or data. It also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud.

“While no company can ever eliminate the risk of a cyberattack, the company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards,” it said. “These efforts are ongoing.”

Deep Pockets Can Bolster Recovery

Anne Cutler, cybersecurity evangelist at Keeper Security, said while MGM may not be publicly disclosing the full extent of the impacts, the ramifications of any cyberattack of this size are inevitably far reaching and long lasting.

Keeper Security’s Anne Cutler

“No organization is too large to hack, but the ability to recover from a significant attack is certainly bolstered when the company has deep pockets,” she said. “For many SMBs, a ransomware attack can force them out of business entirely. Although the $100 million in losses are costly on the surface, MGM’s decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government and law enforcement. Paying a ransom to cybercriminals does not guarantee a full return of an organization’s systems and data, and only furthers the ransomware ecosystem.

Omri Weinberg, co-founder and chief revenue officer at DoControl, a provider of automated SaaS security, said in cybersecurity, “you have endless threats on a daily basis and basically endless points of attack.”

DoControl’s Omri Weinberg

“No company will be ever be fully bulletproof, and just like the casino, you need to bet where to invest the resources and funds in your cybersecurity practice,” he said. “Adversaries will always be more sophisticated with new technologies and it’s a never-ending game. Luckily there are many great cybersecurity companies out there that can give a lot of great coverage to reduce the risk and make sure you bet less. MGM Resorts International is obligated to give clarity about its action and the damage that was caused by this specific attack. If the SEC received a detailed brief about what happened, why, and how it can be prevented next time that’s OK. If that is not the case, and they were just conceived by an announcement, that’s very concerning.”

Criminals Often Return to the Scene of the Crime

Bud Broomhead, CEO at Viakoo, said criminals “often return to the scene of the crime, and want the victim to still be alive and able to be continually vulnerable to subsequent attacks.”

Viakoo’s Bud Broomhead

“No company is too big to hack,” he said. “The key issue is a business too resilient to hack. MGM may have invested heavily in backup and recovery, and may use this attack to learn where their weakness are so next time they will be even more resilient to attack. MGM deserves credit for not paying the ransom. Hopefully their example will push more organizations to focus on resiliency and business continuity. It’s never a question of will you be hacked, just when you’ll be hacked and how prepared you are for it.”

Coalfire’s Andrew Barratt

Andrew Barratt, vice president of Coalfire, said it’s important to look at this in the context of their income.

“MGM is a huge organization that is very profitable,” he said. “With revenues of $14 billion, it’s easy to see why they’ve flagged this as not being material. However, it doesn’t mean they’re too big to hack. Quite the opposite. It shows that larger organizations are likely a very profitable target for organized crime groups (OCGs) with cyber capability.”