Sep 15, 2023 - Technology

MGM faces the fallout from nearly week-long cyberattack

Illustration of a computer falling down into a chasm.

Illustration: Aïda Amer/Axios

MGM Resorts International is struggling to contain the public impact of an apparent cyberattack that has continued to snarl business all week at one of the U.S.'s largest casino operators.

What's happening: Roughly five days into the incident, slot machines are still out of order, digital room keys are offline and resort guests are slamming the company on social media for its seeming lack of customer support.

  • MGM, which operates several high-profile casinos across the country, is also expected to take a financial hit: The company is facing potential revenue losses, litigation and reputational risks, credit rating firm Moody's warned (paywall).
  • Meanwhile, MGM has been hush on the details in its public communications throughout the week. The company has yet to confirm what kind of attack it's facing or what customer data, if any, was stolen.
  • MGM did not respond to requests for comment.

Why it matters: The fallout from the apparent cyberattack on MGM provides a rare glimpse into how damaging these incidents can be to businesses and consumers.

  • Typically, either the impact of a hack is limited to stolen personal data or the victim organization sweeps the full scope of an attack under the rug.

The big picture: Casinos and hospitality firms have become a target for cyberattacks in recent years.

  • Caesars Entertainment, which operates several major casinos in Las Vegas, confirmed on Thursday that it also faced a cyberattack a few days before the MGM hack began.

Details: The IT outages are impacting MGM properties across the country — not just in Las Vegas.

  • I visited MGM National Harbor outside of Washington, D.C. on Thursday afternoon and found a handful of slot machines on the second floor were still offline, as well as a few ATMs in the casino.
  • All of the MGM Rewards kiosks — where members can print rewards cards so they can use their points to play games — were also down, forcing people to cash out their winnings in-person.

Of note: Throughout the week, confused and frustrated customers have flooded MGM's social media feeds with online reviews and comments trying to figure out if they can get a refund or if computer systems will be up in time for their weekend trips.

  • "Terrible customer service for a large customer like myself and my team," one person wrote in a Google review for the Aria Hotel in Las Vegas. "We will be taking our business elsewhere after the cybersecurity attacks."

Yes, but: The website for BetMGM, the company's online betting site, appears to have been unaffected and remains functional.

The intrigue: A member of the hacking group Scattered Spider has claimed responsibility for the MGM hack, the Financial Times reports.

  • The hackers — who are believed to be young adults possibly based in the U.S. and U.K. — initially were trying to target the slot machines and recruit people to "milk the machines," a member told the FT.
  • Bloomberg reported Wednesday that the same group targeted Caesars last week.

Zoom in: A former MGM employee who left the company this year told Axios that the company restructured roughly 75% of its corporate IT teams in April, resulting in layoffs, and outsourced another IT team in July.

  • Caesars said in an SEC filing that its cyberattack started with a social engineering attack targeting an outside IT vendor.

Between the lines: Public statements about a cybersecurity incident run up against legal obligations and regulatory scrutiny — making it difficult to communicate what's happening with the public.

  • Once a company uses the word "data breach" or "data leakage," the clock starts ticking for the organization to comply with state-level data breach notification rules and other compliance, Alex Waintraub, a cyber crisis management expert at CYGNVS, told Axios.
  • It takes days, sometimes weeks, to determine the impact of a cyber intrusion, including what data was stolen or accessed.
  • "This is going to become a legal battle," Waintraub said. "We do not say [data breach] in writing until forensics confirm that there is data leakage."
Go deeper