MGM expects to lose $100M because of cyberattack, apologizes to customers
Updated October 5, 2023 - 5:11 pm
MGM Resorts International expects to lose $100 million in cash flow as a result of a nine-day cyberattack and told customers Thursday the company would offer free identity protection and credit monitoring services to individuals indicating their information was impacted.
It was the first time MGM acknowledged the incident as a cyberattack, although the company made earlier references to working with the FBI.
The estimated loss reported in a new Securities and Exchange Commission filing and a letter to MGM customers signed by CEO Bill Hornbuckle issued Thursday said the incident did not result in a compromise of any customer bank account numbers or payment card information.
“We do understand that the criminal actors obtained certain personal information belonging to some customers who transacted with us prior to March 2019,” Hornbuckle’s letter to customers said.
“This includes name, contact information, gender, date of birth, and driver’s license number. The types of impacted information varied by individual. We also believe a more limited number of Social Security numbers and passport numbers were obtained. We have no evidence that the criminal actors have used this data to commit identity theft or account fraud.”
Hornbuckle apologized for the outcome and thanked employees for their resilience during the nine days since Sept. 10 that the attack took down computer systems and crippled operations from the MGM app enabling guests to enter their hotel rooms to slot machine payouts and company email.
Hornbuckle said a dedicated telephone call center has been established for customers with concerns. The toll-free number is 800-621-9437, Monday through Friday from 6 a.m. to 8 p.m., or Saturday and Sunday from 8 a.m. to 5 p.m., excluding major U.S. holidays. Callers are asked to reference engagement number B105892 when calling. The company also has set up a webpage at www.mgmresorts.com/importantinformation.
The SEC filing indicated MGM’s third-quarter financial results would be negatively impacted, but that there would be minimal impact in the fourth quarter, particularly for its Las Vegas operations. The company is expected to release third-quarter earnings information in late October or early November. The filing said the company doesn’t expect there to be a material effect on its financial condition and results of operations for the year.
“Specifically, the company estimates a negative impact from the cybersecurity issue in September of approximately $100 million to adjusted property EBITDAR (earnings before interest, taxes, depreciation, amortisation, and restructuring or rent costs) for the Las Vegas Strip resorts and regional operations, collectively,” the SEC filing said. “While the company experienced impacts to occupancy due to the availability of bookings through the company’s website and mobile applications, it was mostly contained to the month of September which was 88 percent (compared to 93 percent in the prior year period).”
The reason the company isn’t expecting longer term financial damage is that it is anticipating a huge fourth quarter, thanks to the company’s proximity to events around the Nov. 16-18 Formula One Las Vegas Grand Prix race on the Strip.
“The company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1. The company is further forecasting occupancy to be 93 percent in October (compared to 94 percent in the prior-year period) and to fully rebound in November for the Las Vegas Strip resorts.”
MGM said in the SEC filing that it spent less than $10 million in the third quarter on expenses related to the cyberattack, which consisted of technology consulting services, legal fees and expenses of other third-party advisers.
“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” the filing stated. “Based on the ongoing investigation, the company believes that the unauthorized third-party activity is contained at this time.”
Las Vegas-based gaming industry analyst John DeCree of CBRE Equity Research said he was encouraged by the news and said in a report to investors Thursday that MGM’s outlook is favorable.
“MGM currently believes its cybersecurity insurance will cover all financial impacts, including business interruption and one-time expenses incurred as well as future potential expenses,” DeCree’s note to investors said.
“However, it could take several quarters for MGM to be reimbursed by its insurance carriers. We view the third quarter and fourth quarter impact as one-time in nature, with a future cash offset from insurance proceeds,” he said. “Given the strong occupancy in October and favorable outlook for November, we still expect no long-term impact on the business.”
Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.