Cybersecurity

Cyberattack cost MGM Resorts $100 million despite refusing to pay ransom

Still, the chain told SEC it’s optimistic about fourth-quarter earnings.
article cover

MGM Resorts International

less than 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The beleaguered MGM Resorts lost $100 million due to the cyberattack that ground much of the hotel and casino chain to a halt last month—but it told regulators on Oct. 5 that it expects to bounce back.

In an 8-K statement to the Securities and Exchange Commission, MGM said that despite September bookings falling to 88% occupancy (compared to 93% at the same time last year), those numbers should rebound in the fourth quarter.

It highlighted that it expects hotel bookings to rise in November due to an upcoming Formula 1 Grand Prix event in Las Vegas.

“Operations at the Company’s domestic properties have returned to normal and virtually all of the Company’s guest-facing systems have been restored,” according to the company’s 8-K filing. “The Company continues to focus on restoring the remaining impacted guest-facing systems and the Company anticipates that these systems will be restored in the coming days.”

MGM Resorts’ computer systems came back online roughly 9 days after an early September ransomware attack broadly disrupted the casino and hotel chain’s operations.

The company refused to pay the ransom hackers demanded to get its systems back up, the Wall Street Journal reported, in contrast with Caesars Entertainment, which recently paid about $15 million to end a similar attack.

MGM CEO Bill Hornbuckle called the attack “corporate terrorism at its finest” during a Tuesday appearance at the Global Gaming Expo.

“You don’t wish this on anybody. It happened to hit us. It was partially socially engineered. And for the couple of weeks to our company, it was devastating,” he said, according to the Las Vegas Review-Journal.

MGM also disclosed to the SEC that it “incurred less than $10 million in one-time expenses” to mop up the cybersecurity mess, including paying for consulting services, adviser fees, and legal costs. While MGM said its cybersecurity insurance should offset the financial losses, it noted “the full scope of the costs and related impacts of this issue has not been determined.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.