The CEO of MGM Resorts International has offered additional details of the crippling cyberattack that shut down the company's computer systems in Las Vegas and eight states, but stressed that MGM never even considered paying a ransom to the hackers behind last month's incident.
“It’s corporate terrorism at its finest,” CEO Bill Hornbuckle said on Tuesday (October 10) during a keynote session at the Global Gaming Expo (G2E) in Las Vegas. “I don’t wish this on anybody. It hit us. It was partially social engineering and for a couple of weeks to our company it was devastating.”
Hornbuckle stressed that MGM saw the attack early on and “knew that they were there.”
“We reacted quickly to protect data and so you saw us shutting down our systems. We found ourselves in an environment for the next four to five days with 36,000 hotel rooms and some regional properties. We were completely in the dark. Literally, the telephones, the casino system, the hotel systems, and I could go on and on, were not functioning. So, you put the company to the test.”
Hornbuckle described the cyberattack as an “internal culture change” for the company, bringing everyone together.
“We are now three weeks into this thing come this past weekend and it is behind us. The current threat is gone but there is always a threat and so are these threat actors and others. You have to be vigilant about it.”
Hornbuckle confirmed that MGM did not pay a ransom demanded by the attackers.
“Paying ransom was never a consideration,” Hornbuckle said. “I know people say don’t pay ransom. But the way this came at us and the velocity that this came at us, we reacted quickly to protect data.”
Declining to pay the ransom was a tactical decision, Hornbuckle said, because it was still going to take time to assess the damage and how to get the company back online. He added that the company was already in “defense mode”.
In an SEC filing last week, MGM said it had determined that those responsible for the cyberattack obtained some customer personal information from those who did business with the company prior to March 2019. The personal information included names, contact information, such as phone numbers, email addresses and postal addresses, as well as gender, date of birth and driver’s license numbers.
“For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. The types of impacted information varied by individual,” MGM said.
At this time, MGM said it does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors. In addition, the company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data.
“We find ourselves now a couple weeks into this thing fully functioning,” Hornbuckle said. “We have all our commercial systems back. This is probably going to cost us $100m.”
Hornbuckle said the costs will be covered by cyber insurance, although “I can only imagine what next year’s bill will be.” He told a crowd gathered in a ballroom at The Venetian resort at G2E that the focus was now on reinvestment into infrastructure, people and processes.
The fact that the hacking group Scattered Spider claimed responsibility for the cyberattacks on MGM and Caesars Entertainment was not lost on Bill Carstanjen, president and CEO of Churchill Downs, and Jette Nygaard-Anderson, CEO of Entain, during separate keynote interview sessions at G2E on Tuesday with CNBC news anchor Contessa Brewer.
Brewer asked Nygaard-Anderson if the cyberattack on MGM had any impact on BetMGM, which is a 50-50 partnership between Entain and MGM.
“We haven’t seen an impact,” Nygaard-Anderson said. “So, the Entain platform has not had an impact from the incident MGM had.”
Carstanjen said in the case of Churchill Downs, the threat of a cyberattack has never been greater than now.
“I think we all are very focused and very concerned about it because clearly it is happening across our industry now and clearly there is something about this heard mentality,” Carstanjen said. “From our perspective, especially around our online business, we saw some attacks a number of years ago.
“We went and revisited everything, particularly these recently effective social engineering attacks where they are able to worm their way in through a human into the system. These are even more sophisticated than they have been.
“It’s a challenge for everyone in the industry. It’s a challenge for us,” Carstanjen added.