A sweeping cyberattack that resulted in a data breach of several MGM Resorts properties, including Borgata Hotel Casino & Spa in Atlantic City, may cost as much as $100 million for the company.
MGM revealed the expected financial impact of the cyberattack in a public filing with the Securities and Exchange Commission last week. The company, based in Las Vegas, admitted in the SEC filing that its third quarter revenue would be negatively impacted by the cyberattack but expected the fourth quarter to be unaffected.
If the data breach does cost MGM as much as $100 million, it would be the costliest cyberattack in United States history.
Cyberattack on MGM Resorts may be costliest ever
In September, several MGM casinos and hotels in numerous states – including in the Atlantic City casino market – were crippled by an apparent ransomware attack that made it difficult for cash machines, reservation systems and other computer programs to function.
Some locations were impacted as long as two weeks after the attacks. The attack targeted computer systems at MGM resorts and casinos in Nevada, New Jersey, New York and many other states.
During the attack, Borgata Atlantic City lost control of its systems, experiencing a shutdown of its hotel reservation systems.
Also, many ATMs went offline, and there were interruptions of loyalty card play on slot machines. The gaming floor was never closed following the cyberattack, however, and the Atlantic City casino remained open despite the emergency, which was detected on Sept. 10, according to MGM.
Unknown if stolen data was sold online
It’s unclear, MGM said, whether data stolen by the hackers has been sold online for nefarious purposes. The company has retained a security company that provided a toll-free number to assist customers who may have had their data breached.
MGM is currently offering identity protection and credit monitoring services free of charge to consumers who may have been impacted by the breach. According to MGM, the company has spent $10 million to pay data security experts following the breach.
A criminal hacker organization calling itself Scattered Spider was responsible for the cyberattack on Borgata and other MGM-owned properties, according to reports. That group apparently demanded a ransom from MGM Resorts to return access to their computer systems. However, a ransom was not paid.
In a similar data breach that occurred around the same time this summer, Caesars Entertainment reportedly paid $15 million of a $30 million ransom demand. MGM did not reveal their issue with a data breach until after the Caesars attack made the news.
Borgata is one of the casinos named in a civil lawsuit against MGM for the data breach, filed by customers who allegedly had their private information stolen by the hackers. Consumers are also lining up to sue Caesars Entertainment, which also had its customer and loyalty program database copied and stolen by the criminal hackers.