MGM Resorts attack cost it US$100 million in lost revenue — plus US$10 million in cyber expenses

Share post:

Last month’s cyber attack by the AlphV ransomware gang on MGM Resorts cost the company at least US$100 million in disruption and lost business, plus another US$10 million in IT recovery costs, it said in a regulatory filing.

The Thursday filing with the U.S. Securities and Exchange Commissioner also says the attackers stole data on an unspecified number of its customers prior to March 2019. That data included including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers).

For a limited number of customers, Social Security numbers and passport numbers were also obtained by attackers.

“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” the filing adds.

MGM hasn’t said if it paid a ransom.

The costs were caused by the company shutting its IT systems — some for 10 days — as soon as it realized it was under attack on Sept. 12.

Operations at the MGM Resort’s U.S. properties have returned to normal, and virtually all guest-facing systems have been restored, the filing says. It hopes the remaining impacted guest-facing systems will be restored in the coming days.

MGM Resorts is flush enough that it doesn’t expect the attack will have a material effect on its financial condition by the end of its fiscal year. Still, it estimates “a negative impact from the cyber security issue in September of approximately US$100 million to adjusted property EBITDAR (earnings before interest, taxes and other expenses)” for the Las Vegas strip resorts it owns, and regional operations. They include the MGM Grand, Bellagio, Aria, New York-New York, and Mandalay Bay hotels and casinos.

Hotel bookings were hit because the company’s website and mobile applications were temporarily offline. Still, bookings in September were 88 per cent of capacity, compared to 98 per cent in the same month last year. It will help bookings, the filing adds, that a Formula 1 race will be held in Las Vegas in November.

The US$10 million in one-time costs from the cyber attack relate to hiring technology consulting services, legal fees, and expenses of other third-party advisors for incident recovery.

Once news stories emphasized how the attack affected hotel guests, the AlphV gang pushed out a statement saying any inconveniences weren’t its fault. MGM Resorts, not the gang, took IT systems offline, it said.

The post MGM Resorts attack cost it US$100 million in lost revenue — plus US$10 million in cyber expenses first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Canadian is among foreign nationals pleading guilty to involvement with Lockbit ransomware

Two foreign nationals have pleaded guilty in the US District of New Jersey to their involvement in the...

FBI rapidly hacks into Trump shooter’s phone, raises privacy concerns

Just two days after the attempted assassination at a Trump rally, the FBI announced it had gained access...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways