Dive Brief:
- MGM Resorts said federal and state regulators are investigating the company in connection with the September cyberattack that disrupted operations at the hotel and casino firm for days, the company said in a 10-K filing with the Securities and Exchange Commission last week.
- MGM Resorts warned it could face monetary fines and other actions as a result of the investigations. The company said it is “reasonably possible” it could incur losses in connection with legal proceedings, which include class action lawsuits, however it is too early to estimate the impact.
- MGM was targeted in a social engineering attack linked to the Scattered Spider and AlphV/BlackCat ransomware groups. In October, the company warned its Las Vegas area hotels would incur a $100 million impact from the attacks, in a filing with the SEC.
Dive Insight:
MGM Resorts, which operates more than 30 hotel and casino properties around the world, suffered one of the most high-profile cyberattacks in the U.S. last year. The attacks left many hotel guests locked out of rooms, disrupted casino operations and temporarily impacted online reservations.
During the company’s fourth quarter conference call earlier this month, CFO Jonathan Halkyard said there were some “lingering cyber incident challenges” impacting the regional properties. Las Vegas bookings were briefly impacted in October as some hotel guests canceled reservations following the attack.
The company did not specify which agencies were investigating, however various federal and state authorities have ramped up investigations across industries to examine whether organizations have taken proper measures to protect customer data. Officials at the Nevada Gaming Control Board, the Federal Trade Commission and the Securities and Exchange Commission declined comment.
MGM Resorts said it has cybersecurity insurance, however it is not clear whether insurance will be able to fully fully cover all related claims. The company also provided extensive details on its cyber resilience strategy, which includes quarterly reports from an audit committee, annual assessments from outside experts and other resilience measures.
MGM Resorts previously suffered a cyberattack in 2019, where the sensitive data of more than 10.6 million guests was stolen and later posted online.
The FTC and SEC have previously taken action against other companies in connection with prior cybersecurity practices. The SEC filed a civil suit against SolarWinds and its CISO in October alleging the company failed to disclose known cybersecurity risks to investors.