This security measure had far-reaching effects, affecting various operations, including booking and reservation systems, as well as the functionality of gaming machines on casino floors.
Hacker groups ALPHV and Scattered Spider later claimed responsibility for the breaches.
In an SEC filing, MGM Resorts disclosed that the breach could result in an approximate $100m negative impact on Adjusted Property EBITDAR for both the Las Vegas Strip Resorts and Regional Operations, collectively.
A $10m expense
Additionally, the company incurred $10m in one-time expenses during Q3 due to the cybersecurity issue, encompassing costs for technology consulting services, legal fees, and other third-party advisor expenses.
While the company believes its cybersecurity insurance will adequately cover these costs and future expenses, it also highlighted that the full extent of the impact and related expenses remains uncertain.
However, despite this operational setback, MGM Resorts expressed confidence that its financial condition and results of operations for the year would not be significantly affected.
Although occupancy rates saw a temporary dip in September, falling to 88% compared to the previous year’s 93%, the company anticipates a robust recovery in the upcoming months.
A pivotal factor in the company’s optimism for Q4 2023 is the expected boost from the Formula 1 event, which is set to deliver record results in November.MGM Resorts International also projects a rebound in occupancy rates, with October expectations at 93% (compared to 94% in the prior year period) and a full recovery anticipated in November for the Las Vegas Strip Resorts.
Stolen data
MGM also revealed that the compromised information included customer names, contact details (phone numbers, email addresses, and postal addresses), gender, date of birth, and driver’s licence numbers.
For a limited number of customers, Social Security numbers and/or passport numbers were also affected.
The specific types of impacted information varied by individual, according to MGM.
However, the company stated that customer passwords, bank account numbers and payment card information were not affected by the breach.
MGM Resorts International stressed that, while no company is entirely immune to cyberattacks, it “takes the security of its systems and data very seriously and has put in place additional safeguards to further protect its systems”.
Moreover, MGM Resorts is in the process of notifying affected customers via email and has arranged to provide them with credit monitoring and identity protection services at no cost.
Legal ramifications
Last month, several class-action lawsuits were filed against MGM Resorts International and Caesars Entertainment, which also fell victim to a cyberattack.
The prominent casino operators are now facing allegations of ineffective cybersecurity measures, purportedly leaving their customers vulnerable to data breaches.
