MGM Resorts International said the recent cyberattack that crippled its casino's systems in eight states will reduce its profits by $100m but will not have a material effect on its financial condition and results of operations for the year.
“The company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter,” the company disclosed on Thursday (October 5).
The Las Vegas-based company has also incurred less than $10m in one-time expenses related to technology consulting services and legal fees from the attack that occurred last month, according to a filing with the U.S. Securities and Exchange Commission.
“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions … the full scope of the costs and related impacts of this issue has not been determined,” the company said.
MGM said it believes that the unauthorized third-party activity is contained at this point.
In its SEC filing, MGM said it had determined that those responsible for the cyberattack obtained some customer personal information from those who did business with the company prior to March 2019. The personal information included names, contact information, such as phone numbers, email addresses and postal addresses, as well as gender, date of birth and driver’s license numbers.
“For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. The types of impacted information varied by individual,” MGM said.
At this time, MGM said it does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors. In addition, the company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data.
The cyberattack escalated after MGM refused to pay a ransom to hackers, the Wall Street Journal reported on Thursday.
On Wednesday (October 4), Nevada Gaming Control Board chairman Kirk Hendrick said the state's gaming regulator was unlikely to publicly discuss the recent cybersecurity attacks on MGM and Caesars Entertainment anytime soon because the incidents are an active police investigation, the Las Vegas Review-Journal reported.
Hendrick said the control board “is acting in its capacity as an investigative and law enforcement agency to support the gaming industry.” The FBI confirmed in September that it was investigating the cyberattacks on MGM.
Brian Krolicki, a member of the Nevada Gaming Commission (NGC), asked his colleagues last month if both companies would brief regulators in public on what happened.
“I think at some point in time, when there is the energy and understanding of what happened, if we could get some kind of briefing on what had transpired, that’s appropriate for the public record and perhaps for public policy,” Krolicki said at the end of the NGC’s September 21 meeting.
Krolicki said there has been a lot of publicity surrounding these incidents, and it would benefit regulators to get a handle on just what happened.
In a letter to customers on Thursday, MGM president and CEO Bill Hornbuckle wrote that the attack did not compromise any customers’ payment or bank information.
“As previously reported, sophisticated criminal actors recently launched a cyberattack on MGM Resorts’ IT systems,” Hornbuckle wrote.
“We responded swiftly, shut down our systems to mitigate risk to customer information, and began a thorough investigation of the attack, including coordinating with federal law enforcement agencies and working with external cybersecurity experts.”
Hornbuckle added that MGM executives “regret this outcome and sincerely apologize to those impacted.”