2023-10-05 MGM Resorts International Cybersecurity Incident

Page last updated on April 11, 2024

MGM Resorts International initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-10-05 17:15:52 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-09-12
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-10-05

MGM Resorts International filed an 8-K at 2023-10-05 17:15:52 EDT
Accession Number: 0001193125-23-251667

Item 7.01 Regulation FD Disclosure.

On September 12, 2023, MGM Resorts International (the “Company”) issued a statement that it had recently identified a cybersecurity issue affecting certain of the Company’s U.S. systems.

Promptly after detecting the issue, the Company responded swiftly and shut down its systems to mitigate risk to customer information, which resulted in disruptions at some of the Company’s properties but allowed the Company to prevent the criminal actors from accessing any customer bank account numbers or payment card information. Since that time, operations at the Company’s domestic properties have returned to normal and virtually all of the Company’s guest-facing systems have been restored. The Company continues to focus on restoring the remaining impacted guest-facing systems and the Company anticipates that these systems will be restored in the coming days.

The Company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter. The Company does not expect that it will have a material effect on its financial condition and results of operations for the year. Specifically, the Company estimates a negative impact from the cyber security issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively. While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September which was 88% (compared to 93% in the prior year period). The Company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1. The Company is further forecasting occupancy to be 93% in October (compared to 94% in the prior year period) and to fully rebound in November for the Las Vegas Strip Resorts. The Company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors. Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined.

Based on the ongoing investigation, the Company believes that the unauthorized third-party activity is contained at this time. The Company has determined, however, that the criminal actors obtained, for some of the Company’s customers that transacted with the Company prior to March 2019, personal information (including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers). For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. The types of impacted information varied by individual. At this time, the Company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors. In addition, the Company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data. The Company also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud. The Company has established a dedicated help line to address questions about this incident, which can be reached at 800-621-9437 toll-free Monday through Friday from 8 am - 10 pm Central, or Saturday and Sunday from 10 am - 7 pm Central (excluding major U.S. holidays). Please reference engagement number B105892 when calling. The Company also has set up a webpage www.mgmresorts.com/importantinformation with additional information. In the coming weeks, the Company will provide notification by email to individuals impacted by this issue as required by law and will offer those individuals free identity protection and credit monitoring services.

While no company can ever eliminate the risk of a cyber attack, the Company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards. These efforts are ongoing.

Company Information