MGM Resorts International has revealed new details about the cyberattack it experienced in September 2023, including its financial cost—$100 million in lost profit and almost $10 million in direct expenses. These disclosures have come in the form of a filing with the SEC and a letter from CEO Bill Hornbuckle to the company’s customers.
MGM originally confirmed the attack in a press release and SEC filing on Sep. 12. At that time, it provided very little detail. It was a short statement saying only that the attack had happened, that MGM had shut down some systems, and that it was working with law enforcement.
The new statement is longer and reveals more about the attack. Some information confirms details revealed by ALPHV, a hacker group that claimed responsibility for the attack. It also confirms some inferences based on disclosures by Caesars, which suffered a similar attack.
These include the following pieces of information:
- The attack aimed to steal MGM customer data and was partially successful
- The stolen data includes names, contact information, personal details like dates of birth and driver’s license numbers, and—in a few cases—social security numbers or passport information.
- Most, perhaps all, of the outwardly visible disruption resulted from MGM taking its own systems offline to protect more sensitive customer data.
- According to MGM, no passwords, financial details, or payment card numbers were among the stolen data.
MGM has also followed Caesars’ lead in offering free fraud protection services to affected customers. Those wishing to enroll in those services or who have questions pertaining to the breach can call a dedicated hotline at 1-800-621-9437.
BetMGM-Era Customers Unaffected
One important new fact MGM has revealed is that all the affected data belongs to customers who were in the system before March 2019.
Notably, that means it does not include anyone who is only in the MGM Rewards database due to having signed up with BetMGM, which launched in September 2019.
That would tend to support BetMGM’s claim that the account login difficulties users experienced on Oct. 1 were unrelated to the MGM data breach. (However, many BetMGM users may have already been in MGM’s database for other reasons before it launched).
Retail customers who visited an MGM property before March 2019 may have had their data compromised. The same may be true of anyone who used BetMGM’s New Jersey precursors. Borgata Online and PlayMGM both predated the joint venture with Entain and were operated by MGM directly.
MGM Expects Insurance to Cover Losses
While MGM customers have been fretting about their data, investors have been worried about the attack’s financial impact.
The company’s share prices (MGM Resorts International 39,43 -0,76%) had fallen from $42.70 on Sep. 11 to $34.79 on Oct. 5, their lowest since early January.
Two big questions hovering over the attack and its aftermath were:
- How much revenue was MGM losing due to cancellations and guest compensation during the period of disruptions?
- Would the company’s cybersecurity insurance cover some or all of the losses?
One analyst estimated the loss would be between $4.2 to $8.4 million daily. That may have been a little low. MGM had mitigated the worst effects of its system shutdowns after 10 days but says it estimates the total lost profit at around $100 million.
It says its room occupancy rate dropped to 88%, a five-point drop from 93% over the same period in 2022. However, it’s now back up to 93%, almost the same as 94% last year.
In addition to the lost income, MGM says it spent “less than $10 million” on third-party help to deal with the attack. These included technology consulting and legal fees, among other services. The company believes its insurance will be sufficient to cover all these costs. However, the full scope of the impact has yet to be determined.
Another remaining unknown is the outcome of a flurry of class actions that have targeted MGM and Caesars over their data breaches. That total now stands at ten and counting.
Despite those lawsuits, the news from MGM appears to have been well-received by investors. MGM stock has rebounded 5% since the opening bell this morning. If that holds, it will be the best single-day performance for the stock since the attack came to light.