MGM Resorts attackers hit personal data jackpot, but house lost $100M

MGM Resorts has admitted that the cyberattack it suffered in September will likely cost the company at least $100 million.

The effects of the attack are expected to make a substantial dent in the entertainment giant’s third-quarter earnings and still have a noticeable impact in its Q4 too, although this is predicted to be “minimal.”

According to an 8K filing with the Securities and Exchange Commission (SEC) on Thursday, MGM Resorts said less than $10 million has also been spent on “one-time expenses” such as legal and consultancy fees, and the cost of bringing in third-party experts to handle the incident response.

These are the current estimates for the total costs incurred by the attack, which took slot machines to the sword and borked MGM’s room-booking systems, among other things, but the company admitted the full scope of costs has yet to be determined.

The good news is that MGM expects its cyber insurance policy to cover the financial impact of the attack. 

The company also expects to fill its rooms to near-normal levels starting this month. September’s occupancy levels took a hit – 88 percent full compared to 93 percent at the same time last year – but October’s occupancy is forecast to be down just 1 percent and November is poised to deliver record numbers thanks to the Las Vegas Formula 1 event.

“Operations at the company’s domestic properties have returned to normal and virtually all of the company’s guest-facing systems have been restored,” said MGM Resorts. “The company continues to focus on restoring the remaining impacted guest-facing systems and the company anticipates that these systems will be restored in the coming days.”

The attack itself is thought to be entirely contained now, but the final remediation efforts are still ongoing.

MGM Resorts confirmed personal data belonging to customers had been stolen during the course of the intrusion. Those who became customers before March 2019 may be affected.

Stolen data includes social security numbers, driving license numbers, passport numbers, and contact details such as names, phone numbers, email addresses, postal addresses, as well as gender and dates of birth.

At this time, there is no evidence to suggest that financial information including bank numbers and cards were compromised, and passwords are also believed to be unaffected.

Fellow Las Vegas strip giant Caesars Entertainment was also targeted by cybercriminals during the same period, admitting that it too had data related to social security and driving license numbers stolen.

The casino outfit has yet to quantify the financial impact of that incident, which is believed to have been caused by an attack on a third-party IT provider.

While MGM Resorts doesn’t believe the stolen data was yet used in any identity theft or fraud attempts, it has advised all customers to remain vigilant and is offering free credit reports, it said on a dedicated web page for information regarding the breach.

“Promptly after learning of this issue, we took steps to protect our systems and data, including shutting down certain systems,” it said. “We also quickly launched an investigation with the assistance of leading cybersecurity experts and are coordinating with law enforcement. We take the security of our systems and data very seriously and have put in place additional safeguards to further protect our systems.

• Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts
• IT networks under attack via critical Confluence zero-day. Patch now
• ‘Gay furry hackers’ brag of second NATO break-in, steal and leak more data
• MGM Resorts shuts down website, computer systems after ‘cybersecurity incident’

“MGM Resorts is notifying relevant customers by email as required by law and has arranged to provide those customers with credit monitoring and identity protection services at no cost to them. Individuals who receive an email from MGM Resorts about this issue should refer to that email for additional information and instructions for enrolling in these services.”

Adam Marrè, CISO at cybersecurity outfit Arctic Wolf, told The Register: “When looking at the total cost of a breach, such as the one which impacted MGM, many factors can be taken into account. This can include a combination of revenue lost for downtime, extra hours worked for remediation, tools that may have been purchased to deal with the issue, outside incident response help, setting up and operating a hotline for affected people, fixing affected equipment, purchasing credit monitoring, and sending physical letters to victims. Even hiring an outside PR firm to help with crisis messaging. When you add up everything, $100 million does not sounds like an unrealistic number for organization like MGM.

“Stolen information can be used in identity theft or sold to other criminals to use it in this way. It can also be used for spear phishing or other social engineering campaigns, including SIM swapping, to assist in other attacks, and so the value of the data is high.”

Who is behind the attack on MGM Resorts?

Cybercrime group Scattered Spider claimed responsibility for the attack on MGM Resorts, previously claiming they took 6TB of data in the attack.

The social engineering specialists are thought to be a Lapsus$-like band of miscreants that, according to Mandiant, have already snared more than 100 victims since emerging in 2022.

Using phone and SMS-based phishing tactics mainly, the group started out focusing only on data theft for the purposes of extortion, before expanding to ransomware attacks earlier this year.

It’s thought to be an affiliate of the ransomware-as-a-service (RaaS) group AlphV, a group that made public statements about the attack on its website, claiming to have launched ransomware on MGM Resorts’ systems, impacting more than 100 ESXi hypervisors.

MGM Resorts is yet to detail the full nature of the cyberattack and has not officially confirmed if ransomware was involved or not.

According to Mandiant, Scattered Spider knows Western business practices well, an observation that could possibly hint at where its members are based.

The incident response company tracks Scattered Spider as UNC3944 and also linked it to the attack on Okta last year, which in turn affected a score of its business customers.

“It is plausible that these threat actors may use other ransomware brands and/or incorporate additional monetization strategies to maximize their profits in the future,” Mandiant said. 

“We anticipate that intrusions related to UNC3944 will continue to involve diverse tools, techniques, and monetization tactics as the actors identify new partners and switch between different communities.”