MGM Resorts International properties were operational again late Monday night following a cybersecurity threat identified by the company on Sept. 11 that left its systems down.
MGM took to X, the social media site formerly known as Twitter, Monday morning to say it had identified and was investigating a “cybersecurity issue” affecting its company systems. Working with local law enforcement, the statement said, MGM was taking action to protect its systems and data, including shutting down certain systems.
Multiple reports indicated that, portfolio-wide, MGM hotel guests’ digital room keys were disabled, payment and reservation systems were down and gambling machines were offline for some time. MGM operates hotels across the country, including several prominent Las Vegas properties like Bellagio, Aria, Mandalay Bay and MGM Grand Las Vegas.
Monday afternoon, the concierge at Aria told Hotel Dive that staff at the property were handling all check-ins, checkouts and reservations manually because the computer systems were down. The concierge also noted that company email accounts were disabled, including for MGM’s corporate communications team, which did not respond to Hotel Dive’s request for comment.
Late Monday night, MGM posted an update. “Our resorts, including dining, entertainment and gaming are currently operational,” the X post read. “Our guests remain able to access their hotel rooms and our Front Desk staff is ready to assist our guests as needed.”
As of Tuesday afternoon, it remained unclear if computer operations were back to normal.
Greg Moody, an associate professor of information systems and cybersecurity at the University of Nevada, Las Vegas, told The New York Times that a “cybersecurity issue” typically means an individual or a group has attacked a company’s network, seeking profit.
There are a variety of ways cyberattackers can make money from this type of scam, according to IBM, including holding company data hostage and seeking ransom payment.
Chris Denbigh-White, chief security officer for risk and data protection solutions provider Next DLP, said that given the available information, he believes a ransomware attack is likely what MGM is currently facing.
“Casinos, both repositories of substantial wealth and vast volumes of personal and financial data that harbor a minuscule appetite for operational downtime, render them exceptionally enticing prey for cyber-criminal syndicates on the hunt for financial gain,” Denbigh-White said in a statement obtained by Hotel Dive.
Another attack method cyber criminals frequently use is stealing company or customer data to sell for profit. And this is a type of cyberattack MGM is familiar with.
In 2019, the company suffered a massive data breach that reportedly impacted some 10.6 million guests. However, according to a 2021 lawsuit filed against MGM Resorts with the United States District Court for the District of Nevada, the number of impacted guests may be closer to 200 million.
Plaintiffs in the suit claim their personal information — including names, addresses, phone numbers, email addresses and dates of birth — were stolen in the 2019 data breach, posted to the dark web and used to make fraudulent payments, open fraudulent credit card accounts and resulted in personal ransomware attacks.
The plaintiffs allege that MGM failed to maintain reasonable safeguards to protect them from this type of data breach and are requesting compensatory damages.
An ongoing issue
According to IBM, the average cost of a data breach to a business is $4.35 million. That number spans the costs of discovering and responding to the violation, downtime and lost revenue and the long-term reputational damage to a business and its brand.
For hospitality businesses, particularly, that cost averages $3.4 million, according to a recent report from Trustwave SpiderLabs. Those price tags, though, don't factor in compensation to customers impacted by the breach.
MGM is not alone in experiencing cybersecurity threats. According to Trustwave SpiderLabs, 31% of hospitality organizations have reported a data breach in their company’s history.
Hotels and other hospitality businesses are an appealing target of cybercriminals, the report said, because of their reliance on third-party providers and franchises, and the industry’s high workforce and guest turnover.
In order to prevent these costly attacks, hotels must invest in “robust and scalable hosting infrastructure and security measures,” said Suhaib Zaheer, SVP and general manager at DigitalOcean, a multinational technology company and cloud service provider.
“The hospitality industry heavily relies on online connectivity; with everything from hotel check-ins to casino slot machines, to digital room keys, consequently exposing them to elevated cybersecurity risks. As such, businesses need to invest in enterprise-grade security to protect against hackers and sophisticated threats,” Zaheer said in a statement obtained by Hotel Dive, adding that hotels should implement technology to automatically update their websites and securely backup data.
The Trustwave SpiderLabs report further said hotels should be wary when using generative AI and contactless technologies. It suggests hotels choose security tools that can detect AI-generated threats and execute regular vulnerability assessments.