MGM cyberattack likely costliest ransomware attack in history, expert says

Every Las Vegas casino company should be prepared for the possibility of a cyberattack in light of high-profile hacks that occurred in August and September, a software expert told the Las Vegas Review-Journal on Friday.

Brett Callow, a threat analyst for the anti-malware software company Emsisoft, said he believes the financial loss suffered by MGM Resorts International over nine days in September was the costliest ransomware attack in history, surpassing a June 2022 attack against Norwegian aluminum manufacturer Norsk Hydro.

In a Securities and Exchange Commission filing Thursday, MGM estimated its losses at $100 million, affecting third- and fourth-quarter earnings. Analysts believe most of the financial damage would occur in the third quarter. The company is expected to announce financial results later this month or in early November.

Norsk Hydro, which didn’t pay attackers a ransom, estimated its losses at $71 million. It’s unclear whether MGM paid any ransom.

It’s been widely reported that Caesars Entertainment Inc., which suffered a cyberattack in August, paid a multimillion-dollar ransom to attackers but suffered far less damage to its systems than MGM.

Crippling attack

The attack on MGM that began Sept. 10 took down computer systems and crippled operations ranging from the MGM app enabling guests to enter their hotel rooms to slot machine payouts and company email. The company says its systems have since been restored.

“In the case of MGM, it was obviously a fairly significant event, and it could take quite some time to recover from that regardless of whether or not they paid the ransom,” Callow said in an interview. “In the case of Caesars, it could possibly be less extensive and they were able to recover more quickly.”

Because of the publicity of the two attacks, Callow believes other casino companies should be on their guard.

“All sorts of organizations are attacked all the time,” he said. “If an organization has the means to pay, it’s a target. I would fully expect other cybercriminals to be looking at Vegas casinos to see whether there are any exploitable weaknesses in that system.”

He said casino employees should be wary of the social engineering tactics practiced by cybercriminals.

“Social engineering will become more prevalent because it is the soft underbelly for lots of organizations,” Callow said. “They (companies) teach their employees how to deal with electronic threats such as phishing emails, but they maybe don’t put as much emphasis on threats that come in through the phone and that’s something they really need to be paying more attention to.”

Several gaming industry analysts have weighed in on MGM’s public response Thursday.

“MGM Resorts’ disclosure on the recent cyberattack provides us further insight into the impact both in terms of the breach and the monetary impact,” said Brendan Bussmann, a gaming industry analyst with Las Vegas-based B Global. “The $100 million impact on U.S. properties as well as the $10 million on immediate costs to address the issue provide (Wall) Street with some context on the current financial impact to the company.”

Bussmann said MGM needed to make an early statement before it headed into earnings season as well as heading into what will likely be one of the busiest times in Las Vegas, driven by the Formula One Grand Prix race in November and Super Bowl LVIII in February.

“The impact to MGM’s guests is also critical and disclosure of the data that may have been obtained is key to help those consumers protect their data and monitoring its impact in the future,” he said. “The key will be to get these people back to their properties across the U.S. and thank them for their, as the letter stated, ‘patience’ through what has been difficult for the company, its employees and their guests.”

Personal info exposed

Gaming analyst Joseph Greff of New York-based J.P. Morgan noted that cybercriminals may have obtained some personal information from customers — but not from the company’s newest acquisition, The Cosmopolitan of Las Vegas.

In a note to investors, Greff said, “MGM indicated that, based on an ongoing investigation, it believes that the unauthorized third-party activity is contained at this time. MGM ‘has determined, however, that the criminal actors obtained, for some of the company’s customers that transacted with the company prior to March 2019, personal information (including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers). … In addition, the company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data. The company also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud.’ ”

Gaming industry analyst Carlo Santarelli of the New York office of Deutsche Bank said MGM’s stock price is down about 19 percent since news of the cyberattack broke. He also acknowledged that other gaming stocks have been under pressure for different reasons.

“Broadly, we believe the financial clarity around this issue, as well as the reaffirmation of a limited impact to 4Q23 trends, should serve as a positive for shares,” Santarelli said in a Friday note to investors.

MGM shares closed up 4.9 percent Friday, or $1.69 a share, to $36.48 on volume twice the daily average.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.