MGM Resorts said the previously disclosed cyberattack in September will impact the company’s third quarter financial results by about $100 million, mainly related to the impact on its Las Vegas operations, according to a Thursday filing with the Securities and Exchange Commission.
The company said it will incur about $10 million in costs for technology consultants, legal fees and other third-party advisors.
“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” said MGM Resorts President and CEO Bill Hornbuckle in an open letter to customers Thursday.
Hornbuckle apologized to customers and also expressed gratitude to employees who were stretched thin by the attack, as hotel services like reservations, casino gaming, digital keys and other services were disrupted.
MGM Resorts said hotel occupancies fell to 88% during the month of September, compared with 93% the prior year, mainly due to the cyberattack disrupting the company’s website and mobile apps used for reservations, according to the SEC filing.
The company said it expects a strong fourth quarter and a "record" November, driven by the upcoming Formula 1 race event. October occupancies are expected to reach 93%, down one percentage point year over year.
The company also confirmed that criminal actors, which it did not identify specifically, obtained sensitive data of customers who conducted transactions with MGM prior to March 2019.
The data includes names, addresses, phone numbers, emails, dates of birth, driver's license numbers and in some cases social security and passport numbers.
The company does not believe that passwords, credit card numbers or bank account information was obtained and has no information the other personal data has been used for fraud. Customer data from The Cosmopolitan of Las Vegas was not accessed, according to the company.
MGM Resorts said it is working with third-party IT experts to make significant upgrades to its systems to prevent another such attack.
The hackers claimed to have accessed the company’s Okta environment, which has been the target of multiple social engineering attacks. Okta officials denied that their environment at MGM Resorts was compromised, but did confirm it was working with the company to recover from the attack.
Security researchers have attributed the hack to a social engineering attack carried out by a threat group called Scattered Spider working in some capacity with AlphV/BlackCat.
A separate attack was carried out against Caesars Entertainment, which compromised rewards data for customers of that casino operator.
MGM Resorts said it expects it has enough insurance coverage to cover the financial impact of the attack, however it has not yet fully determined the scope of the financial impact.
JMP Securities analyst Jordan Bender said in a Sept. 19 research note that MGM Resorts had a policy that covered about $200 million related to business interruption and ransomware costs.
Bender said the attack would cost MGM Resorts several million dollars per day due to the operational disruptions, however the financial impact would be a “drop in the bucket” for the company, given that it was expected to generate $4.7 billion of EBITDAR for the year.
Security researchers said they believe MGM Resorts refused to pay a demanded ransom, which is part of the reason why the disruptions continued for many weeks.
As previously reported, MGM Resorts is facing multiple lawsuits from customers in the U.S. District Court in Nevada alleging negligence and unjust enrichment.
Customers are being notified directly if their information was accessed, and free credit monitoring is being offered.
MGM Resorts on Thursday filed a consumer breach notice with the Maine Attorney General’s office. According to data provided to the AG, the breach was first discovered between Sept. 8 and September 12.
According to the notice, the company determined on Sept. 29 that an unauthorized actor obtained the data of MGM Resorts customers on Sept. 11. Impacted customers are being notified via email.
Editor’s note: This story has been updated with a data breach notification filed with the Maine Attorney General.