MGM Resorts nationwide work to recover from cybersecurity issue

Officials at MGM Resorts International properties nationwide worked Monday to recover from a crippling cybersecurity issue that affected credit card transactions and other computerized systems throughout its hotel-casinos.

While the company didn’t refer to the matter as a cyberattack, there were indications Monday that MGM shut down some systems to prevent the matter from becoming worse.

The company is directing customers seeking hotel reservations to call properties directly because the online reservation system is inoperative.

“MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems,” a statement from the company — delivered from a Gmail address because company email is down — said Monday morning.

“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”

“Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”

Late Monday night, the company updated its previous statement.

“Our resorts, including dining, entertainment and gaming are currently operational, and continue to deliver the experiences for which MGM is known,” it read in part. “Our guests remain able to access their hotel rooms and our Front Desk staff is ready to assist our guests as needed. We appreciate your patience.”

MGM Resorts has several processes in place to operate and serve guests manually during times of computer system disruption. Among them:

— Guests can check into and out of hotels through the front desk.

— Guests can gain access to their rooms using a physical key if their digital key is inoperative.

Physical keys can be obtained at the front desk.

— Guests can make dining reservations by calling restaurants directly during normal operating hours, or by talking with a property concierge.

The incident marked the second cybersecurity issue involving MGM in four years. In February 2020, MGM affirmed that its cloud server had been hacked in the summer of 2019 with information — including some guests’ driver’s license and passport information — stolen.

Hackers reportedly were responsible for that data breach in which an estimated 10.6 million people were believed affected. MGM said 52,000 people were notified of the hack after the company confirmed that it had discovered someone had gained unauthorized access to “a limited amount of information for certain previous guests of MGM Resorts.”

Checkout lines normal

Checkout lines were normal Monday morning at Bellagio and Mandalay Bay, two of the company’s 10 Las Vegas properties, but there were reports that slot machines at some properties were not working.

The Nevada Gaming Control Board did not reply to an inquiry about whether it was involved in the investigation. The fact that MGM reported the matter to law enforcement authorities indicates a possible cyberattack, and federal investigators generally take the lead on those matters.

Some guests at MGM properties were taking the matter in stride.

“I had to pay for my Starbucks with cash because the systems weren’t working this morning,” said Lilian Calderon, a Mandalay Bay guest from California. “I think some of the slot machines weren’t working but they’re out there fixing them now.”

MGM did not elaborate on what systems were affected or how the incident may have occurred.

Steve Marko, a Portland, Oregon, resident in Las Vegas for the Pac West conference at the Las Vegas Convention Center, said he was affected by the incident.

“It looks like they have some major problems and they’re getting worse,” he said while riding northbound on the Las Vegas Monorail to the conference Monday morning.

The Mandalay Bay Convention Center is hosting the 2023 Toyota National Dealer Meeting, and organizers said they were expected 5,000 people to attend.

‘Not a good week in Vegas’

Outside New York-New York, couples Jerry and Cassandra Bruce and Frank and Tonjua Welch sat at a table while watching their New York Jets take on the Buffalo Bills on Monday Night Football. In town for a week, both couples have been affected by the outage.

The Bruces, who were staying at Mandalay Bay, and the Welches, who were at the Luxor, said they were unable to get into their rooms with their digital key cards. Instead, security had to let them in with actual keys.

They spoke of the TVs in their rooms not working on Sunday night, and of taking a break from gambling and going to sit outside, because some of the gaming machines weren’t working properly.

“We love Vegas,” Jerry Bruce said. “Nothing will deter us from coming back. But it does cut down on the gambling.”

“Between Ed Sheeran and this, it’s not a good week in Vegas,” Tonjua Welch said, referencing the music superstar’s last-minute nixing of his concert at Allegiant Stadium on Saturday.

“It’s an inconvenience,” Cassandra Bruce added.

At around 8:30 p.m. it appeared to be business as usual at MGM Resorts properties MGM Grand, Park MGM and Excalibur.

Gaming machines at each of the properties appeared to be working, and the casino floors were bustling with activity.

At Park MGM, electronic kiosks to access MGM rewards were down.

Front desk lines at MGM Grand and Park MGM were nonexistent. At Excalibur the line was about 10 people long but moving steadily.

Room upgrades denied

A woman who did not identify herself said she was trying to get a room upgrade when she checked in at Excalibur on Sunday, but was told the front desk was unable to fulfill her request because of computer problems.

Others said they were unable to charge expenses to their rooms and were told MGM would bill them later by mail.

A man who described himself as a longtime Bellagio guest, who communicated on the condition of anonymity, said in an email to the Las Vegas Review-Journal that staff members told him that early Monday afternoon the ability to make a charge to a room was back online, but that there continued to be issues with the use of credit cards and accessing cash from on-property ATMs.

A cybersecurity expert at Princeton University said while he could not comment directly on the MGM matter, he cited the University of Michigan’s response to a cyberattack in late August as an example of best cybersecurity practices.

A CBS Network affiliate in Detroit, where MGM has a property, reported how the University of Michigan reacted to its Aug. 27 incident.

“The fact that they took their systems down, like proactively took their systems down, is the indication that it is a cybersecurity incident,” said Dave Kelly, co-founder and chief technology officer of SensCy. “The reason why you do that is that you don’t want it to spread further.”

“They probably didn’t know to what extent they’d been compromised,” said Chris Neuwirth, senior penetration tester and ethical hacker at NetWorks Group. “They probably didn’t know how many accounts were compromised or the initial entry point that the threat actor used to gain access into the network.”

Michigan averted disaster

So, did the university avoid a disaster? Neuwirth thinks it very well could have, a report in the Slashdot blog on issues related to cybersecurity said.

“They likely had very robust backups and data recovery, plans, procedures in place that helped them make the decision very confidently and rapidly,” he said. “Four days in that they’re already bringing up their systems tells me that it’s likely that a lot of what they had been preparing for worked.”

Kelly said those types of incidents are on the rise.

“There’s been a large increase in cybersecurity incidents,” he said. “It’s been trending up, quite frankly, for the last several years. It used to be that these threat actors were targeting the government and Fortune 500 companies, but they’ve started to, more and more over the years, look at universities.”

The Associated Press reported that MGM’s cybersecurity incident began Sunday and the extent of its effect on reservation systems and casino floors in Las Vegas and states including Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio was not immediately known, according to company spokesman Brian Ahern.

A post on the company’s BetMGM website in Nevada acknowledged that some customers were unable to log on.

Properties in Las Vegas include MGM Grand, The Cosmopolitan of Las Vegas, Bellagio, Park MGM, Delano, Excalibur, Luxor, Mandalay Bay, Aria and New York-New York.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X. Review-Journal staff writers Brett Clarkson and David Wilson, and digital content producer Tony Garcia contributed to this report.