MGM Resorts attack cost it US$100 million in lost revenue — plus US$10 million in cyber expenses

Last month’s cyber attack by the AlphV ransomware gang on MGM Resorts cost the company at least US$100 million in disruption and lost business, plus another US$10 million in IT recovery costs, it said in a regulatory filing.

The Thursday filing with the U.S. Securities and Exchange Commissioner also says the attackers stole data on an unspecified number of its customers prior to March 2019. That data included including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers).

For a limited number of customers, Social Security numbers and passport numbers were also obtained by attackers.

“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” the filing adds.

MGM hasn’t said if it paid a ransom.

The costs were caused by the company shutting its IT systems — some for 10 days — as soon as it realized it was under attack on Sept. 12.

Operations at the MGM Resort’s U.S. properties have returned to normal, and virtually all guest-facing systems have been restored, the filing says. It hopes the remaining impacted guest-facing systems will be restored in the coming days.

MGM Resorts is flush enough that it doesn’t expect the attack will have a material effect on its financial condition by the end of its fiscal year. Still, it estimates “a negative impact from the cyber security issue in September of approximately US$100 million to adjusted property EBITDAR (earnings before interest, taxes and other expenses)” for the Las Vegas strip resorts it owns, and regional operations. They include the MGM Grand, Bellagio, Aria, New York-New York, and Mandalay Bay hotels and casinos.

Hotel bookings were hit because the company’s website and mobile applications were temporarily offline. Still, bookings in September were 88 per cent of capacity, compared to 98 per cent in the same month last year. It will help bookings, the filing adds, that a Formula 1 race will be held in Las Vegas in November.

The US$10 million in one-time costs from the cyber attack relate to hiring technology consulting services, legal fees, and expenses of other third-party advisors for incident recovery.

Once news stories emphasized how the attack affected hotel guests, the AlphV gang pushed out a statement saying any inconveniences weren’t its fault. MGM Resorts, not the gang, took IT systems offline, it said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs