MGM Resorts International filed a report with the SEC Thursday, indicating that the cyberattack on its systems will cost $100 million in adjusted earnings in September. However, cyber insurance will help recover losses and the casino giant is well positioned for a strong fourth quarter.
The filing came as MGM CEO Bill Hornbuckle issued a statement to customers, professing that hackers didn’t obtain any of their bank account or credit-card information but likely obtained a limited number of Social Security and passport numbers. MGM said it has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud.
It was MGM’s most detailed release of information since reports surfaced of a possible hack on September 10 that impacted slot machines, ATMs, and computer systems across the country. Hornbuckle wrote that the attack, which MGM first admitted on Sept. 12, was contained and operations have since returned mostly to normal, although some guest-facing systems remain days away from being restored.
“The company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third-quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter,” MGM said in its SEC filing. “The company does not expect that it will have a material effect on its financial condition and results of operations for the year. Specifically, the company estimates a negative impact from the cyber security issue in September of approximately $100 million to adjusted property EBITDAR for the Las Vegas Strip resorts and regional operations, collectively.”
Separately on Thursday, The Wall Street Journal reported MGM refused to pay the ransom demanded by the hackers prior to the disruption of the company’s operations, citing an anonymous source. CDC Gaming Reports has not independently confirmed the Journal‘s reporting.
While MGM experienced a reduction in occupancy due to the unavailability of bookings through the company’s website and mobile applications, it was mostly contained to the month of September, which came in at 88% compared to 93% in the prior-year period, the filing said.
In the filing, MGM said it’s well positioned for a strong fourth quarter, with record results expected in November primarily driven by Formula One.
MGM is forecasting occupancy at 93% in October compared to 94% year over year and to fully rebound in November for the Las Vegas Strip resorts, the filing said. The company reported it incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees, and expenses of other third-party advisors.
“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above, and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” the filing said.
MGM is already facing class-action lawsuits over the cyberattacks.
MGM doesn’t believe criminal actors accessed The Cosmopolitan of Las Vegas systems or data and outlined the steps MGM has taken to prevent further attacks.
“While no company can ever eliminate the risk of a cyberattack, the company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards,” MGM said in the filing. “These efforts are ongoing.”
In a statement to customers, Hornbuckle cited “sophisticated criminal actors” launching the cyberattack on MGM’s IT systems. He said MGM responded swiftly, shut down its systems to mitigate risk to customer information, and began a thorough investigation of the attack, including coordinating with federal law enforcement agencies and working with external cybersecurity experts.
“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal and the vast majority of our systems have been restored,” Hornbuckle said. “We also believe that this attack is contained.”
Hornbuckle said they determined that because of “our fast, early response,” the incident did not result in a compromise of any customer bank account numbers or payment-card information.
“We do understand that the criminal actors obtained certain personal information belonging to some customers who transacted with us prior to March 2019,” Hornbuckle said. “This includes name, contact information, gender, date of birth, and driver’s license number. The types of impacted information varied by individual. We also believe a more limited number of Social Security numbers and passport numbers were obtained. We have no evidence that the criminal actors have used this data to commit identity theft or account fraud.”
In the filing, MGM reiterated some of the same information about disruptions to some of its properties and how it shut down its systems to mitigate risk to customer financial information.
“Since that time, operations at the company’s domestic properties have returned to normal and virtually all of the company’s guest-facing systems have been restored,” the filing said. “The company continues to focus on restoring the remaining impacted guest-facing systems and the company anticipates that these systems will be restored in the coming days.”
In his statement, Hornbuckle said protecting personal information is a responsibility MGM takes seriously.
“As part of our remediation efforts, we have rebuilt, restored, and further strengthened portions of our IT environment,” Hornbuckle said. “We will offer free identity-protection and credit-monitoring services to individuals who receive an email from us indicating that their information was impacted.”
MGM has established a dedicated call center that can be reached at 800-621-9437 toll-free Monday through Friday from 8 a.m. to 10 p.m. Central and Saturday and Sunday from 10 a.m. to 7 p.m. Central, excluding major U.S. holidays. (The engagement number when calling is B105892). The company also has set up a webpage.
Hornbuckle thanked MGM employees for “their resilience and dedication during this time.” He also expressed his appreciation of customers for their loyalty and patience as they worked through the matter.
“We regret this outcome and sincerely apologize to those impacted,” Hornbuckle said. “Your trust is paramount to us. We look forward to welcoming you and continuing to deliver the world-class entertainment experiences you expect from us.”
