MGM faces $100M loss from ransomware attack

MGM Resorts International estimated last month's ransomware attack will cost the company $100 million but said the amount will likely be covered by its cyber insurance policy.

In September, MGM disclosed a cyber attack after guests reported issues related to room access, amenities and casino games that persisted for days. Identity and access management vendor Okta later confirmed that MGM was one of many customers affected in a previously disclosed social engineering campaign where attackers obtained privileged access to victim organizations.

More information about the attack and remediation was revealed in an 8-K filing and update from MGM CEO William Hornbuckle on Thursday. MGM confirmed it took systems offline to contain the threat after detecting the attack. According to the 8-K, the swift response prevented threat actors from accessing any customer bank account numbers or payment card information.

While MGM restored many of its systems and said affected operations have resumed as normal, remediation efforts proved costly.

"Specifically, the Company estimates a negative impact from the cybersecurity issue in September of approximately $100 million to Adjusted Property EBITDAR [earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs] for the Las Vegas Strip Resorts and Regional Operations, collectively," MGM wrote in the 8-K filing.

In addition to the $100 million loss from business disruptions, MGM said it also incurred less than $10 million in one-time expenses, which included technology consulting services, legal fees and expenses of other third-party advisors. However, the costs may be covered under MGM's cyber insurance policy.

"Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined," the filing read.

Ransomware and cyber insurance have a historically rocky relationship. Ransomware attacks were blamed by some for a surge in premiums, and the threat strongly influences enterprise's ability to obtain policies. For example, some insurers require customers to implement effective backups for ransomware response before being issued a policy.

Additionally, there's been ongoing contention with insurance carriers' role in ransomware incident response, particularly around payments. Cybercriminal gangs know some insurance policies cover ransom payments, which could lead to an increase in attacks and higher demands. A recent report by insurer Coalition revealed "historic highs" for ransomware claims in the first quarter of 2023 with higher ransom demands and increased business disruption.

On the other hand, a report earlier this year from Delinea showed 70% of respondents said their insurance policy did not cover ransomware payments.

The Alphv/BlackCat ransomware gang claimed responsibility for the attack, though it remains unclear if MGM received a ransom demand or made any kind of payment to the threat actors. The company did not respond to TechTarget Editorial's request for additional comment.