Did Boyd Gaming pay ransom in cyberattack? Company won’t say

The company, which operates 11 local properties, including three in downtown Las Vegas, reported the cyberattack on Tuesday in a filing with the Securities and Exchange Commission. It didn’t say when the attack occurred or when and how it was discovered.

In a Wednesday email, Las Vegas-based Boyd said it would have no further comment beyond the five-paragraph notice in its SEC 8-K filing.

“Upon detecting the incident, the company promptly took steps to respond to the incident with the assistance of leading external cybersecurity experts and in cooperation with federal law enforcement authorities,” the filing said.

In two high-profile cyberattacks against casino companies in 2023, the victims responded in different ways — Reno-based Caesars Entertainment Inc. reportedly paid a $15 million ransom to criminals who broke into its system in August, while MGM Resorts International, attacked in September, did not. MGM systems were down nine days, inconveniencing thousands of customers.

MGM said the attack against its company ultimately cost it an estimated $100 million.

Boyd isn’t expecting any material costs to its company.

“As of the date of this filing, the company believes that the incident will not have a material adverse effect on the company’s financial condition or results of operations. The company maintains a comprehensive cybersecurity insurance policy, which we expect will cover costs associated with incident response and forensic investigations, as well as business interruptions, legal actions and regulatory fines, if any, subject to policy limits and deductibles,” Boyd’s SEC filing says.

MGM indicated cyberattackers used social engineering — the manipulation of employees to inadvertently divulge sensitive information — to gain access to its computers and telecommunications systems.

Boyd has not said how it believes criminals accessed its systems.

MGM’s 2023 attack

When MGM was victimized in the September 2023 attack, CEO William Hornbuckle offered several details about what happened in a keynote address before hundreds of gaming industry professionals attending the Global Gaming Expo in Las Vegas on Oct. 10, 2023.

In his presentation, Hornbuckle called the attack “corporate terrorism at its finest” as he described the steps the company took to protect data by shutting down systems to prevent further damage.

He said the attack affected telephones, casino slot machine networks, hotel systems and door entry systems for roughly 36,000 hotel rooms.

“We reacted quickly to protect data,” Hornbuckle told the G2E crowd. “And so you saw us shutting down systems by our own design. We found ourselves in an environment where, for the next four or five days, with 36,000 hotel rooms and some regional properties, we were completely in the dark.”

Boyd’s disclosure came as Las Vegas casinos have increasingly found themselves in the crosshairs of cybercriminals

Last week, authorities arrested a teenager in connection with a “sophisticated cybercrime” linked to cyberattacks on Las Vegas casinos in 2023. The Metropolitan Police Department didn’t say whether the arrest involved the MGM or Caesars attacks.

In another high-profile cyberattack on Aug. 24, Nevada officials confirmed the state was hit by a sophisticated ransomware-based cyberattack, which severely impacted government operations such as the Department of Motor Vehicles and social services offices.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.