Officials at MGM Resorts International continue to respond to a major cyberattack that affected credit card transactions, gaming operations and other computerized systems throughout its resorts.
The outage began on Sunday (September 10) night, forcing the company to shut down some systems to prevent what was described as a “cybersecurity issue” from getting worse in multiple U.S. states where MGM operates casinos.
In response to the cyberattack, the FBI told Vixio GamblingCompliance on Tuesday that although it was “aware of the incident, as this is still ongoing, we do not have any additional information to provide at this time.”
The decision by MGM to shut down its computer systems affected casino operations, with reports of slot machines being taken offline inside some Las Vegas Strip casinos. A few slot machines were operational, but customers were forced to wait for their payouts from a slot attendant.
Other areas affected included the ability of customers to access their hotel reservations on the company’s website, disabled digital entry to hotel rooms, and casino management systems that oversee slot machines and cashless gaming.
“As an update to our previous statement, our resorts, including dining, entertainment and gaming are currently operational, and continue to deliver the experiences for which MGM is known,” the company said in a statement emailed on Tuesday morning.
An MGM spokesman, using a Gmail account because his company email was not working, confirmed Monday that MGM had identified a cybersecurity issue affecting some of the company’s systems.
“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”
The Nevada Gaming Control Board (NGCB) declined to comment on the incident when contacted by Vixio.
Besides the 14 properties it manages in Nevada, MGM is also a licensed casino operator in Maryland, Massachusetts, Michigan, Mississippi, New York and Ohio.
Thomas Mills, a spokesman with the Massachusetts Gaming Commission (MGC), said Tuesday that the “company has made the commission aware of the issues and is working closely with the MGC team."
“I’d refer you back to MGM for more information on their end, the commission is working with them currently,” he said.
It was a similar story in Maryland, Ohio and New Jersey, where regulators similarly confirmed MGM had notified them about the cyberattack.
“Maryland's casinos are required to notify us of any operational security issues, which MGM has done,” said Seth Elkin, a spokesman with Maryland Lottery and Gaming.
Jessica Franks, a spokeswoman with the Ohio Casino Control Commission (OCCC), said the commission was contacted by MGM's online sports-betting venture BetMGM.
“I will note that BetMGM is a separate entity from MGM with separate systems. As far as I am aware, sportsbook operations were not impacted,” she said.
“MGM notified the New Jersey Division of Gaming Enforcement (DGE) about the cyber incident Sunday evening,” the DGE said in a statement. “MGM also provided DGE with information regarding their response to address the issue, including at the Borgata.”
The DGE added that as a result of the cybersecurity incident, several aspects of the Borgata Atlantic City's operations, including both gaming and hotel services, were affected.
“However, MGM has established procedures in place to ensure continued operations under these circumstances and currently the Borgata facility is operational. DGE is actively monitoring the situation to ensure the integrity of operations. DGE is also aware of public reports regarding an ongoing investigation by the FBI and will cooperate with any requests for assistance.”
The incident marked the second cyberattack involving MGM in recent years. In February 2020, MGM confirmed it suffered a cyber breach in 2019 when personally identifiable information was stolen from a cloud server owned by the company. More than 10.6m hotel guests had their information compromised in the attack.
“The incident that occurred with MGM Resorts earlier this week continues to remind all of us that the gaming and hospitality industry is not immune to disruptions from outside entities,” said Brendan Bussmann, managing partner of B Global in Las Vegas.
“We’ve seen years ago when the Iranians attacked Las Vegas Sands and what has happened this week will not be the last,” said Bussman, referring to a 2014 cyberattack on Las Vegas Sands that was allegedly perpetrated on behalf of the Iranian government in response to public comments made by Sands' CEO and founder, Sheldon Adelson.
Bussman told Vixio that there are a host of regulatory and federal agencies that are going to look into the MGM incident.
“Gaming is the most highly regulated industry in the world, and it has a greater set of eyes on it but let’s evaluate the whole situation and then see how best to respond and learn from this latest incident.
“Some of the most secure buildings in the world are on the Las Vegas Strip but this is not just what is visible to the average person,” he added. “This is across the board and as those that are in the business of causing disruption continue to figure out new ways, the industry continues to try to stay a step ahead."
When asked if it was unusual for a gaming company to deactivate a portion of its computer systems to minimize the damage from a cyberattack, Yoohwan Kim, a computer science professor who leads the Cybersecurity Center at the University of Nevada, Las Vegas, said companies should do everything to stop the spread of the damage until the attack is well contained.
“There are some standards [the] hotel industry can adopt such as NIST Cybersecurity Framework, ISO 27000, SOC2,” Kim told Vixio. “So, the regulators can mandate those. However, I believe big corporations such as MGM are already adopting them heavily, so I don’t think it will increase the cybersecurity for them particularly."
“They already know how important the cybersecurity is for their business,” he said.