- MGM Resorts in Las Vegas experienced a massive cyberattack resulting in estimated losses of over $80 million. The attack disrupted various aspects of the company's operations, including reservations and key cards.
- MGM Resorts used X (formerly known as Twitter) to provide updates on the cyberattack while it was ongoing. They also temporarily updated their website to inform guests about the incident and apologize for any inconvenience.
- A ransomware group named ALPHV / BlackCat claimed responsibility for the attack, alleging that they used a social engineering attack by obtaining an MGM Resorts employee's information on LinkedIn. The company's cybersecurity investigation is still ongoing.
MGM Resorts in Las Vegas was the target of a massive cyberattack in September 2023, and one security expert estimated losses associated with the incident could be in excess of $80 million.
MGM Resorts used X (formerly known as Twitter) to issue updates about the attack while it was in progress. On the morning of September 11th, @MGMResortsIntl published the first of several tweets disclosing the issue, explaining:
"MGM Resorts recently identified a cybersecurity issue affecting some of the Company's systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems ... Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter."
On September 12th, financial news outlet CNBC covered the attack, reporting that "nearly every aspect" of MGM's operations were disrupted in the course of the incident. Reservations, key cards, and "casino floors" were affected, and the company was forced to disable its email system.
CNBC also detailed MGM Resorts' then-recent quarterly revenue from the period prior to the cyberattack, noting that bookings remained more lucrative than "casino operations":
"Revenue from their hotel rooms in Las Vegas outstrips the revenue directly attributed to their casino operations, according to SEC filings. The company reported Las Vegas rooms revenue of $706.7 million for the quarter ended June 30 , compared to casino revenue of $492.2 million for the same period."
In an article updated on September 13th, technology news site The Verge published information about an unsubstantiated claim of responsibility for the attack:
"A ransomware group named ALPHV / BlackCat claimed responsibility, according to a post on X, formerly Twitter, from malware tracker vx-underground (via Engadget), saying they received the information directly. The unverified post alleges that the group used a social engineering attack, calling the company’s help desk with an MGM Resorts employee’s information they found on LinkedIn."
The Verge added that MGM Resorts temporarily updated their website to notify guests about the attack, and to apologize for the inconvenience. A copy of MGM Resorts' website archived on September 12th included the temporary message, which stated that the "MGM Resorts website is currently unavailable" and provided alternative methods of managing bookings.
On September 19th, MGM Resorts tweeted another update about the ongoing cyberattack. The property identified functional services, and offered help to guests experiencing "intermittent issues" caused by the security breach:
The following day, MGM resorts tweeted a statement announcing a return to normalcy – but smaller text at the bottom noted that "MGM Rewards points redemption and certain promotional offers may be unavailable" as of that date. The statement began:
"CURRENT UPDATE: We are pleased that all of our hotels and casinos are operating normally. Our amazing employees are ready to help guests with any intermittent issues. We thank you for your patience and look forward to welcoming you soon."
On September 21st, the Associated Press reported that the MGM cyberattack had been "brought to an end ... as analysts and academics measured the effects of the event." The outlet quoted an expert's estimate of $80 million in damages – and provided context for that figure against MGM's broader revenues:
"Gregory Moody, professor and director of the cybersecurity program at the University of Nevada, Las Vegas, pointed to quoted estimates that the computer shutdown cost the company up to $8 million per day, which could put the cumulative effect at $80 million. But Moody also noted that MGM Resorts reports annual revenues above $14 billion, which would mean it averages at least $270 million in revenues per week."
MGM Resorts was the only casino hit by a cyberattack in September. "Rival casino" company Caesars Entertainment told federal investigators it had been "hit with a cyberattack" on September 7th, but claimed its operations were not affected.