MGM Resorts International is estimating last month's cyberattack – which forced the hotel and gaming giant to completely shut down its systems for nearly a week – will take a $100m dollars hit to its third-quarter results, but expects no impact on yearly profits.
"The full scope of the costs and related impacts of this issue has not been determined," MGM said in a regulatory filing with the US Securities and Exchange Commission SEC) dated October 5th.
MGM, whose systems are just about back up to pre-attack status, said the September 11th ransom attack will also cost the company a one-time expense of just under $10 million.
Those expenses are related to cybersecurity costs from “technology consulting services, legal fees, and other third-party advisors.”
The company expects the breach will have a negative impact of about $100 million on its adjusted property core profit for its Las Vegas Strip division and expects total occupancy of 93% this October versus 94% in the same month a year ago.
MGM said it is "well-positioned" to have a strong fourth quarter with record results in November, driven mainly by a Formula One racing event slated to take place in Las Vegas.
MGM also stated it expects no impact on its full-year results from the breach.
The self-imposed system shut impacted all MGM websites, the mobile app, and all guest services, including disabling room key cards. Throughout the week, social media was ripe with visuals of hours-long lines, slot machines showing error messages, and hotel guests checking in with pen and paper.
Customer infomation compromised
The MGM filing stated that the private data of customers who used MGM services before March 2019 was stolen in the breach.
The data is said to include a plethora of personally identifiable information (PII) including contact information, gender, date of birth, and driver’s license numbers.
"We also believe a more limited number of Social Security numbers and passport numbers were obtained," MGM said.
MGM also stated that it has “no evidence that the criminal actors have used this data to commit identity theft or account fraud."
Yet, it’s barely been one month since the attack, and often, threat actors will hold onto data for future use, or the gangs will offer up the data for sale to other cybercriminals on the dark web.
Sometimes the attackers will use the stolen information for subsequent ransom attacks on the original target or target the victims whose data was stolen.
MGM said the hackers did not obtain any customer bank account numbers or payment card information because of its quick response of shutting down the systems to prevent the criminals from gaining further access.
Furthermore, no customer data from its luxury resort hotel The Cosmopolitan – one of the 12 MGM resorts located on the Las Vegas strip – was breached.
"Based on the ongoing investigation, the company believes that the unauthorized third-party activity is contained at this time," MGM stated.
MGM systems close to fully restored
The debilitating attack coincided with a ransom attack on fellow gaming resort chain Caesars International the previous week. Caesars filed its report with the SEC on September 7th, as required in a recent change to SEC breach reporting rules.
The attackers were said to have gained access to both MGM and Caesars networks by impersonating an employee and then tricking a third-party IT help desk to change the password to that worker's account.
The attackers were also able to exfiltrate an entire database of Caesars loyalty rewards members filled with PII, the company said.
Caesars is rumored to have paid a $15m ransom to the attackers to avoid disruption to their business operations, but has not confirmed the reports one way or another.
Additionally, MGM has not disclosed whether it paid a ransom demand or if any specific amount was presented by the gangs.
MGM said operations at all domestic properties have returned to normal, and virtually all guest-facing systems have been restored, with remaining systems fully restored in the coming days.
MGM has set up a toll-free hotline and website for customers looking for more information, and it will be contacting any affected customers by email.
More from Cybernews:
Subscribe to our newsletter