Getty Images

MGM faces $100M loss from ransomware attack

MGM's 8-K filing revealed some personal customer data was stolen during the September attack and said the company expects cyber insurance to sufficiently cover the losses.

MGM Resorts International estimated last month's ransomware attack will cost the company $100 million but said the amount will likely be covered by its cyber insurance policy.

In September, MGM disclosed a cyber attack after guests reported issues related to room access, amenities and casino games that persisted for days. Identity and access management vendor Okta later confirmed that MGM was one of many customers affected in a previously disclosed social engineering campaign where attackers obtained privileged access to victim organizations.

More information about the attack and remediation was revealed in an 8-K filing and update from MGM CEO William Hornbuckle on Thursday. MGM confirmed it took systems offline to contain the threat after detecting the attack. According to the 8-K, the swift response prevented threat actors from accessing any customer bank account numbers or payment card information.

While MGM restored many of its systems and said affected operations have resumed as normal, remediation efforts proved costly.

"Specifically, the Company estimates a negative impact from the cybersecurity issue in September of approximately $100 million to Adjusted Property EBITDAR [earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs] for the Las Vegas Strip Resorts and Regional Operations, collectively," MGM wrote in the 8-K filing.

In addition to the $100 million loss from business disruptions, MGM said it also incurred less than $10 million in one-time expenses, which included technology consulting services, legal fees and expenses of other third-party advisors. However, the costs may be covered under MGM's cyber insurance policy.

"Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined," the filing read.

Ransomware and cyber insurance have a historically rocky relationship. Ransomware attacks were blamed by some for a surge in premiums, and the threat strongly influences enterprise's ability to obtain policies. For example, some insurers require customers to implement effective backups for ransomware response before being issued a policy.

Additionally, there's been ongoing contention with insurance carriers' role in ransomware incident response, particularly around payments. Cybercriminal gangs know some insurance policies cover ransom payments, which could lead to an increase in attacks and higher demands. A recent report by insurer Coalition revealed "historic highs" for ransomware claims in the first quarter of 2023 with higher ransom demands and increased business disruption.

On the other hand, a report earlier this year from Delinea showed 70% of respondents said their insurance policy did not cover ransomware payments.

The Alphv/BlackCat ransomware gang claimed responsibility for the attack, though it remains unclear if MGM received a ransom demand or made any kind of payment to the threat actors. The company did not respond to TechTarget Editorial's request for additional comment.

Compromised customer data

Hornbuckle's statement, in conjunction with the 8-K filing Thursday, shared similar information. He echoed that MGM's swift response led to decreased fallout and said a "vast majority of our systems have been restored."

However, Hornbuckle said the attackers did steal personal information for customers that transacted with the company prior to March 2019. The data included names, genders, dates of birth and driver's license numbers. In some cases, Social Security numbers and passport numbers were also affected.

"As part of our remediation efforts, we have rebuilt, restored and further strengthened portions of our IT environment," Hornbuckle wrote in the statement. "We regret this outcome and sincerely apologize to those impacted."

According to the 8-K, guest-facing systems "will be restored in the coming days."

Caesars Entertainment, another Okta customer that was affected in the recent social engineering campaign, experienced a similar attack last month. In its 8-K filing, Caesars said it took steps to "ensure that the stolen data is deleted by the unauthorized actor." The Wall Street Journal reported that Caesars paid roughly half of a $30 million ransom demand from the threat actors.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

DOJ charges 5 alleged Scattered Spider members 

Dig Deeper on Data security and privacy