weather icon Mostly Cloudy

MGM cyberattack again in the spotlight after lawsuit, broadcast

Updated April 21, 2024 - 8:00 am

You’ve heard of the gift that keeps on giving.

The cybersecurity incident that pummeled MGM Resorts International in September seems to be the attack that keeps on taking.

The incident lasted 10 days starting Sept. 10 and resulted in an estimated $100 million in lost revenue plus the rebuilding of the company’s IT network — and millions of headaches.

Even after insurance covered much of its losses within months, MGM has discovered that the incident continues to affect Nevada’s largest employer.

The cyberattack resurfaced in the news this past week when the company — a crime victim — filed a lawsuit against the federal government agency responsible for protecting consumers from fraud.

The four-count lawsuit, filed Monday in U.S. District Court for the District of Columbia, seeks an injunction to stop or limit a Federal Trade Commission demand for information about the cyberattack. As of midweek, the FTC had yet to respond to the lawsuit in court and had no public comment about it.

‘60 Minutes’ report

The filing of the lawsuit came a day after “60 Minutes,” the venerable CBS investigative news magazine, aired a report on the MGM cyberattack.

While there were only a few new details about the attack itself in the broadcast, correspondent Bill Whitaker drilled down into the investigation and who was responsible for the attack, which temporarily crippled the Las Vegas company.

The broadcast and the lawsuit filing put a new spotlight on the company, which has nine Strip casino-resorts, five affiliated nongaming properties in Las Vegas and dozens more across the country and around the world.

Most analysts have had little to say about the latest publicity about the company.

“I don’t think any of us realized how long the tail on this was going to be when it first happened last year,” offered Josh Swissman, founding partner and managing director of Las Vegas-based GMA Consulting.

No one is speculating about MGM’s chances for success in its lawsuit, which is centered around the misfortune of FTC Chairwoman Lina Khan and a senior aide being guests at MGM Grand just as the cyberattack was unfolding.

Turmoil at MGM

The attack on MGM’s computerized systems resulted in slot machines and ATMs not working or dispensing cash, digital keys not opening hotel room doors, electronic payment systems not accepting credit cards, televisions and telephones not working, elevators and parking lot gates malfunctioning, and long lines at check-in desks and at resort restaurants. When employees admitted to Khan and her aide that they didn’t know how credit card numbers written on pieces of paper were being secured, that information was shared with reporters.

Some of the computer problems actually were created by the company itself as it shut down systems to prevent them from being infiltrated by the hackers.

MGM’s lawsuit against the FTC objects to Khan being a part of the investigation because she personally was affected by the cyberattack when checking in to her hotel while attending a conference. The filing said her participation violates the agency’s own conflict-of-interest rules.

The company also objected to not getting a deadline extended when having to compile more than 100 categories of data for the FTC’s investigation.

New nuggets

Between the court filing and the “60 Minutes” broadcast, a few new nuggets emerged:

-“60 Minutes” reported the hackers sought a ransom of $30 million and, following the recommendation of FBI investigators, the company didn’t pay it. Inszone Insurance Services, which has an office in Las Vegas and has a website detailing implications of the attack, said Caesars Entertainment Inc., which also was attacked last summer, was asked for $30 million, but only paid half that and didn’t suffer any outages. Caesars confirmed that hackers stole its loyalty program database, which included personal information of millions of customers.

-The “60 Minutes” broadcast included an interview with Bryan Vorndran, the head of the FBI’s cyber division, who didn’t speak specifically about the MGM case, but said a domestic group calling itself “Scattered Spider” and a Russian group known as “BlackCat” were likely responsible for the hack. “When we talk about the actors behind some of the more recent ransomware attacks, the name that’s generally raised is Scattered Spider,” he said in the broadcast. “And that’s a criminal group that we have a lot of attention on because of the havoc they’re wreaking across the United States.”

-Others interviewed in the broadcast included Allison Nixon, chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals, and Jon DiMaggio, a former analyst at the National Security Agency, who now investigates ransomware as chief security strategist for the cybersecurity company Analyst1. Nixon said Scattered Spider consists of thousands of hacking experts between the ages of 13 and 25 that invade computer systems for the thrill and the money and are experts at “social engineering” — a technique of convincing a company’s IT gatekeepers of turning over access to the system. DiMaggio said BlackCat, meanwhile, is experienced in negotiating ransoms and planting malware in compromised systems. Together, they team up to hold computer systems hostage for money.

Unanswered questions

There are still questions to be answered about what happens next in the MGM cyber case.

Will MGM be successful in its lawsuit against the FTC? One of the issues raised by the FTC was that MGM had no guidelines for “Red Flag” and “Safeguard” rules normally reserved for financial institutions. MGM believes the FTC is looking into that because casinos offer “markers” to high-rolling gamblers. MGM explains markers as allowing some gamblers to play on a tab while the FTC sees it as a credit arrangement.

Will casino companies have to change their rules on markers in the future?

The MGM case could bring that — and other issues — to light.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.

Don't miss the big stories. Like us on Facebook.