FTC seeks order forcing MGM to respond to cyberattack probe
Updated June 18, 2024 - 7:12 pm
The Federal Trade Commission has filed a petition in U.S. District Court in Nevada to force MGM Resorts International to respond to an investigative demand for information related to the September cyberattack against the Las Vegas-based resort company.
MGM has refused to respond to the civil investigative demand, known as a CID.
“Judicial enforcement is necessary so that FTC staff may thoroughly and expeditiously conduct its investigation,” the FTC said in its petition. “The FTC respectfully asks this court to issue an order requiring MGM to appear and show cause why it should not comply with the CID and thereafter grant the FTC’s petition and enter an order compelling MGM to produce the documents and information specified in the CID.”
The FTC’s petition says it’s important to investigate because since 2019, MGM has had other publicly reported data security breaches compromising consumers’ personal information, according to the agency, the most recent occurring in September 2023. An earlier breach reportedly occurred in February 2019.
The FTC asks that MGM be required to respond to the CID within 10 days of issuance of the court order it seeks.
The petition is related to MGM’s pending April lawsuit, filed against the FTC and its chairwoman, Lina Khan, in the District of Columbia District Court.
“We’ve worked with federal law enforcement from the outset and followed the government’s guidance by refusing to pay a ransom and reward criminals for their horrendous actions,” an MGM spokesman said Tuesday in response to the FTC’s petition. “The idea that the government would threaten and punish victims for doing so sends a dangerous message that emboldens criminals and threatens national security. Our suit against the FTC to protect our rights under due process is still pending.”
Disqualification sought
MGM is asking that Khan be disqualified from participating in the investigation because she and an aide were guests at the MGM Grand in September when the cyberattack — that cost the company an estimated $100 million — was unfolding.
MGM also has asked the court to declare the FTC’s Rules of Practice with respect to Petitions to Recuse Commissioners unconstitutional and to say the company is not subject to two rules imposed on financial institutions — the so-called “Red Flag Rule” and the “Safeguards Rule.”
The “Red Flag Rule” requires companies to create a written identity theft prevention program designed to identify, detect and respond to “red flags” indicating possible identity theft. The “Safeguards Rule” requires covered companies to develop, implement and maintain an information security program.
The FTC considers MGM subject to those rules because they issue “markers” to high-rolling gamblers. While gambling with markers represents a small percentage of casino play, gaming companies say it’s the equivalent of a gambler playing on a tab and not on credit.
The lawsuit also seeks a reasonable deadline to file the CID if the FTC is allowed to continue its investigation. The company wrote a letter to the agency unsuccessfully seeking a deadline extension because the agency is asking for the production of more than 100 different categories of information spanning multiple years. MGM believes much of the information sought is irrelevant to the cyberattack.
The lawsuit, filed June 14, also seeks reimbursement of court costs and other damages the court identifies.
September cyberattack
The incident began in September when MGM’s computer systems were attacked by hackers believed to be an international group with domestic ties seeking a ransom payment.
At the direction of federal investigators, MGM refused to pay a ransom.
During the incident, hundreds of slot machines were inoperative, guests could not access their rooms with smartphones and credit-card payment systems were disrupted, leading to the manual processing of credit-card transactions.
Among the guests were Khan and an aide, who were in Las Vegas for a conference.
On Sept. 15, Bloomberg reported Khan and the aide questioned the procedures MGM was taking during the cyberattack.
“When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper,” the lawsuit says. “As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn’t know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal.”
Four months later, on Jan. 25, the FTC filed its CID.
Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.