MGM Resorts attack cost it US$100 million in lost revenue — plus US$10 million in cyber expenses

Share post:

Last month’s cyber attack by the AlphV ransomware gang on MGM Resorts cost the company at least US$100 million in disruption and lost business, plus another US$10 million in IT recovery costs, it said in a regulatory filing.

The Thursday filing with the U.S. Securities and Exchange Commissioner also says the attackers stole data on an unspecified number of its customers prior to March 2019. That data included including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers).

For a limited number of customers, Social Security numbers and passport numbers were also obtained by attackers.

“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” the filing adds.

MGM hasn’t said if it paid a ransom.

The costs were caused by the company shutting its IT systems — some for 10 days — as soon as it realized it was under attack on Sept. 12.

Operations at the MGM Resort’s U.S. properties have returned to normal, and virtually all guest-facing systems have been restored, the filing says. It hopes the remaining impacted guest-facing systems will be restored in the coming days.

MGM Resorts is flush enough that it doesn’t expect the attack will have a material effect on its financial condition by the end of its fiscal year. Still, it estimates “a negative impact from the cyber security issue in September of approximately US$100 million to adjusted property EBITDAR (earnings before interest, taxes and other expenses)” for the Las Vegas strip resorts it owns, and regional operations. They include the MGM Grand, Bellagio, Aria, New York-New York, and Mandalay Bay hotels and casinos.

Hotel bookings were hit because the company’s website and mobile applications were temporarily offline. Still, bookings in September were 88 per cent of capacity, compared to 98 per cent in the same month last year. It will help bookings, the filing adds, that a Formula 1 race will be held in Las Vegas in November.

The US$10 million in one-time costs from the cyber attack relate to hiring technology consulting services, legal fees, and expenses of other third-party advisors for incident recovery.

Once news stories emphasized how the attack affected hotel guests, the AlphV gang pushed out a statement saying any inconveniences weren’t its fault. MGM Resorts, not the gang, took IT systems offline, it said.

The post MGM Resorts attack cost it US$100 million in lost revenue — plus US$10 million in cyber expenses first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways