By Wyatte Grantham-Philips

The data breach last month that MGM Resorts is calling a cyberattack is expected to cost the casino giant more than $100 million, the Las Vegas-based company said in a Thursday regulatory filing.

The incident, which was detected on Sept. 10, led to MGM shutting down some casino and hotel computer systems at properties across the U.S. in efforts to protect data.

MGM said reservations and casino floors in Las Vegas and other states were affected — as customers shared stories on social media about not being able to make credit card transactions, obtain money from cash machines or enter hotel rooms. The company announced the end its 10-day computer shutdown on Sept. 20.

The incident bore all the hallmarks of an extortionary ransomware attack, which MGM has not confirmed. If so, it could be the costliest ransomware attack on record, said Brett Callow of the cybersecurity firm Emsisoft. In 2019, the Norwegian aluminum manufacturer Norsk Hydro suffered $70 million in losses after refusing to pay ranswomare criminals.

“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” MGM CEO Bill Hornbuckle said in a Thursday letter to customers. “We also believe that this attack is contained.”

Hornbuckle added that no customer bank account numbers or payment card information was compromised in the incident. But hackers stole other personal information — including names, contact information, driver's license numbers, Social Security numbers and passport numbers belonging to some customers who did business with MGM prior to March of 2019, he said.

MGM has “no evidence” that the hackers and criminal actors have used this data to commit account fraud or identity theft Hornbuckel said, noting that the company will also reach out to impacted consumers via email and offer free identity protection and credit monitoring services. “We regret this outcome and sincerely apologize to those impacted," he added.

In Thursday's filing with the Securities and Exchange Commission, MGM said it believes that September's data breach will have a negative impact on its third-quarter financial results, particularly in Las Vegas — but minimal impact in the fourth quarter and operational results for the year.

In addition to the estimated $100 million loss on adjusted property earnings before interest, taxes, depreciation, amortization and rent for its Las Vegas Strip resorts and other regional operations, MGM expects to incur charges totaling less than $10 million covering one-time expenses like legal fees and technology consulting.

MGM wasn't the only casino giant to get hit by hackers last month. Caesars Entertainment disclosed a Sept. 7 cyberattack. The Reno-based company said that its casino and online operations were not disrupted.

Caesars was widely reported to have paid $15 million of a $30 million ransom sought by a group called Scattered Spider for a promise to secure the data. According to a Thursday report from The Wall Street Journal, which cited a unnamed person familiar with the matter, MGM refused to pay hackers' September ransom demand.

MGM did not immediately respond to The Associated Press' request for further comment.

Beyond the casino world, Clorox disclosed a cyberattack recently — noting the company identified “unauthorized activity” on some of IT systems back in August. The maker of bleach and other household products says the attack has caused wide-scale disruption of operations, including notable product shortages and order processing delays.

In a Wednesday announcement, Clorox said that its net sales are expected to fall between 23% and 28% for the first quarter of 2024.

AP Reporters Frank Bajak, Ken Ritter and Rio Yamat contributed to this report.

Share:
More In Business
Al Sharpton to lead pro-DEI march through Wall Street
The Rev. Al Sharpton is set to lead a protest march on Wall Street to urge corporate America to resist the Trump administration’s campaign to roll back diversity, equity and inclusion initiatives. The New York civil rights leader will join clergy, labor and community leaders Thursday in a demonstration through Manhattan’s Financial District that’s timed with the anniversary of the Civil Rights-era March on Washington in 1963. Sharpton called DEI the “civil rights fight of our generation." He and other Black leaders have called for boycotting American retailers that scaled backed policies and programs aimed at bolstering diversity and reducing discrimination in their ranks.
A US tariff exemption for small orders ends Friday. It’s a big deal.
Low-value imports are losing their duty-free status in the U.S. this week as part of President Donald Trump's agenda for making the nation less dependent on foreign goods. A widely used customs exemption for international shipments worth $800 or less is set to end starting on Friday. Trump already ended the “de minimis” rule for inexpensive items sent from China and Hong Kong, but having to pay import taxes on small parcels from everywhere else likely will be a big change for some small businesses and online shoppers. Purchases that previously entered the U.S. without needing to clear customs will be subject to the origin country’s tariff rate, which can range from 10% to 50%.
Southwest Airlines’ new policy will affect plus-size travelers. Here’s how
Southwest Airlines will soon require plus-size travelers to pay for an extra seat in advance if they can't fit within the armrests of one seat. This change is part of several updates the airline is making. The new rule starts on Jan. 27, the same day Southwest begins assigning seats. Currently, plus-size passengers can pay for an extra seat in advance and later get a refund, or request a free extra seat at the airport. Under the new policy, refunds are still possible but not guaranteed. Southwest said in a statement it is updating policies to prepare for assigned seating next year.
Load More