weather icon Clear

MGM Resorts seeks to block FTC request for cyberattack data

Updated April 12, 2024 - 7:23 pm

MGM Resorts International is seeking to quash a Federal Trade Commission request for information on last fall’s cyberattack, saying the request is overreaching and contrary to the company’s efforts to assist federal law enforcement investigators.

The Las Vegas-based casino company — the state’s largest employer — filed the petition to quash or limit the FTC’s “civil investigative demand” (CID) on Feb. 20. The FTC seeks hundreds of pages of data that MGM says is irrelevant to the case and that it fears could be detrimental to the FBI’s investigation into who was responsible for the attack that crippled MGM’s computer systems for nine days beginning Sept. 10, affecting operations at all its properties nationwide and inconveniencing thousands of guests.

The case is complicated by reports that FTC Chairwoman Lina Khan and an unnamed senior aide were guests of the MGM Grand and attending a conference in Las Vegas at the time the cyberattack was being carried out. Khan’s check-in to the hotel was affected by the attack, and the aide told news outlets about having to write down credit card numbers during check-in.

An FTC representative had no comment on the filing and said in general the FTC does not comment on active investigations.

MGM officials issued an emailed statement Friday afternoon: “We’ve worked closely with federal law enforcement since the beginning of our cyber incident and, consistent with their guidance, refused to pay a ransom to the international criminal actors who perpetrated this act. We are extremely disappointed to now be the subject of this FTC investigation, which may not have occurred if we had taken the easy road and paid the ransom.”

The petition to the FTC details several reasons why the company is seeking to quash the request.

The FTC initially sought “reams of documents and information” from MGM on Jan. 25.

“The CID calls for the production of more than 100 different categories of information, spans multiple years with no relevance to the attack, and, perhaps most problematic of all, represents an unprecedented attempt by (FTC) staff to invoke the Safeguards Rule and the Red Flags Rule, which do not apply to MGM’s operations,” the petition says.

The “Red Flags Rule” requires financial institutions and creditors to create a written identity theft prevention program designed to identify, detect and respond to “red flags” indicating possible identity theft. The Safeguards Rule requires covered companies to develop, implement and maintain an information security program.

MGM met with the FTC on Feb. 6 and asked for a deadline extension to meet its information request.

The FTC refused.

On Feb. 13, MGM sent a detailed letter regarding the FTC request and a week later issued its formal petition to quash.

MGM argues that even though it issues “markers” to high-rolling gamblers it is not subject to rules imposed on financial institutions. Nevada law says markers — giving a casino’s biggest players the ability to gamble on a tab — is similar to accepting personal post-dated checks.

The company said markers are rarely issued and represent a fraction of the amount regularly played in casinos.

MGM also says in its petition that it has fully cooperated with federal law enforcement, including taking its advice not to pay a ransom demanded by the hackers.

“The CID risks jeopardizing those efforts and unfairly places MGM in a risky and highly prejudicial position because it encompasses information related to these criminal investigations,” the petition says. “Plainly, the request disincentivizes cooperation with law enforcement by companies subject to cyberattacks or other crimes.”

MGM estimated the economic damage from the cyberattack at $100 million, but most of that was recovered through insurance.

The company countered the attack by taking several computer systems offline to protect them from further intrusion from the hackers, believed to be an international group with domestic ties seeking a ransom payment.

During the incident, hundreds of slot machines were inoperative, guests could not access their rooms with smartphones and credit card payment systems were disrupted, leading to the manual processing of credit card transactions.

The FTC did not project how long it could take to consider MGM’s petition. But other cases involving requests to quash a CID have taken months to resolve. MGM also could potentially appeal the decision in court.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.

Don't miss the big stories. Like us on Facebook.