MGM officially acknowledges cyberattack, expects $100 million loss hit

Casino giant MGM Resorts International has officially recognized a cyberattack that affected its properties throughout the United States, revealing that it anticipates a cash flow loss of $100 million resulting from the nine-day incident. The formal acknowledgment of the attacks comes nearly a month after the event occurred.

“On or around September 29, 2023, MGM Resorts determined that an unauthorized third party obtained personal information of some of its customers on September 11, 2023,” the company said in a statement, adding that an investigation is ongoing.

“The affected information included name, contact information (such as phone number, email address, and postal address), gender, date of birth, and driver’s license number.  For a limited number of customers, Social Security number and/or passport number was also affected,” it said.

In a Securities and Exchange Commission (SEC) filing and a letter addressed to MGM customers, CEO Bill Hornbuckle expressed his regret for the situation. He also expressed gratitude to the company’s employees for their resilience during the period when the cyberattack disrupted operations, affecting various aspects such as the MGM app, slot-machine payouts, and company email, Las Vegas Review-Journal.

The steps the company has taken to address the situation include offering free identity protection and credit monitoring services to individuals whose information may have been compromised. A dedicated telephone call center has been set up for customer inquiries, which can be reached at 800-621-9437 during specified hours.

The SEC filing indicated that the cyberattack would have a negative impact on MGM’s third-quarter financial results. However, it stated that the fourth quarter, especially for the Las Vegas operations, is expected to experience minimal impact. MGM is anticipated to release its third-quarter earnings information in late October or early November. Despite the incident, the company does not foresee a significant effect on its overall financial condition and results of operations for the year.

“Specifically, the company estimates a negative impact from the cybersecurity issue in September of approximately $100 million to adjusted property EBITDAR (earnings before interest, taxes, depreciation, amortisation, and restructuring or rent costs) for the Las Vegas Strip resorts and regional operations, collectively,” the SEC filing said.

“While the company experienced impacts to occupancy due to the availability of bookings through the company’s website and mobile applications, it was mostly contained to the month of September which was 88 percent (compared to 93 percent in the prior year period),” the filings added.

The reason behind MGM’s optimism about its long-term financial stability is its anticipation of a strong fourth quarter, partly attributed to its proximity to events related to the Formula One Las Vegas Grand Prix race scheduled for November 16-18 along the famous Las Vegas Strip.

“The company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1. The company is further forecasting occupancy to be 93 percent in October (compared to 94 percent in the prior-year period) and to fully rebound in November for the Las Vegas Strip resorts.”

According to the SEC filing, MGM incurred less than $10 million in expenses during the third quarter in response to the cyberattack. These expenses included technology consulting services, legal fees, and fees for other third-party advisers.

According to a recent Reuters report, David Bradbury, Chief Security Officer of identity management firm Okta, revealed that five of the company’s clients, including MGM and Caesars Entertainment, have fallen victim to hacking groups identified as ALPHV and Scattered Spider since August.

Caesars had previously officially confirmed that it suffered a data breach that may have resulted in the exposure of sensitive information, including data from its loyalty program database. The Wall Street Journal reported that the company paid approximately half of a $30 million ransom demanded by the hackers.