MGM Resorts International laid out the scope of last month’s crippling cyberattack in a federal filing Thursday, confirming that some personal information had been comprised.
The company says the attack carried out by “sophisticated criminal actors” on MGM’s IT systems, discovered Sept. 12, would negatively impact its finances to the tune of $110 million based on current information.
“Protecting your personal information is a responsibility we take extremely seriously,” MGM Resorts CEO and President Bill Hornbuckle said in a letter to customers. “As part of our remediation efforts, we have rebuilt, restored, and further strengthened portions of our IT environment. We regret this outcome and sincerely apologize to those impacted. Your trust is paramount to us.”
The company is also offering free identity protection and credit monitoring services to individuals who were notified via email by MGM that their information was impacted.
MGM has also established a dedicated call center that can be reached at 800-621-9437 toll-free and set up a webpage at www.mgmresorts.com/importantinformation.
The hackers obtained personal information -- including names, contact information, gender, date of birth and driver’s license numbers for some of the company’s customers who transacted with MGM prior to March 2019. Social security and passport numbers were also obtained for a limited number of customers.
“The types of impacted information varied by individual. At this time, the company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors,” the filing says.
MGM’s filing says the company “responded swiftly and shut down its systems” after discovering the attack to mitigate risk to customer information, which resulted in disruptions at some of the company’s properties but allowed the company to “prevent the criminal actors from accessing any customer bank account numbers or payment card information.”
MGM also doesn’t believe the criminals accessed The Cosmopolitan of Las Vegas systems or data, or that any of the data stolen has been used for identity theft or account fraud.
Operations at the company’s domestic properties have returned to normal and nearly all of the company’s guest-facing systems have been restored, MGM reports.
“The company continues to focus on restoring the remaining impacted guest-facing systems and the company anticipates that these systems will be restored in the coming days,” the filing says.
But the financial impact of the attack is expected to be significant on third-quarter results, predominantly in its Las Vegas operations, and have a minimal impact during the fourth quarter.
MGM estimates the cyber disruption will impact the company’s adjusted property EBITDAR for the Las Vegas Strip Resorts and Regional Operations by about $100 million.
While the company experienced impacts to occupancy due to the availability of bookings through the company’s website and mobile applications, it was mostly contained to the month of September. Occupancy that month was 88%, compared to 93% the prior year.
However, MGM also incurred nearly $10 million in one-time expenses in the third quarter related to technology consulting services, legal fees and expenses of other third-party advisors.
MGM says it believes cybersecurity insurance will be “sufficient to cover the financial impact to its business,” but the full scope of the one-time costs and related impacts has not been determined.