Last month’s cyber attack by the AlphV ransomware gang on MGM Resorts cost the company at least US$100 million in disruption and lost business, plus another US$10 million in IT recovery costs, it said in a regulatory filing.
The Thursday filing with the U.S. Securities and Exchange Commissioner also says the attackers stole data on an unspecified number of its customers prior to March 2019. That data included including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers).
For a limited number of customers, Social Security numbers and passport numbers were also obtained by attackers.
“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” the filing adds.
MGM hasn’t said if it paid a ransom.
The costs were caused by the company shutting its IT systems — some for 10 days — as soon as it realized it was under attack on Sept. 12.
Operations at the MGM Resort’s U.S. properties have returned to normal, and virtually all guest-facing systems have been restored, the filing says. It hopes the remaining impacted guest-facing systems will be restored in the coming days.
MGM Resorts is flush enough that it doesn’t expect the attack will have a material effect on its financial condition by the end of its fiscal year. Still, it estimates “a negative impact from the cyber security issue in September of approximately US$100 million to adjusted property EBITDAR (earnings before interest, taxes and other expenses)” for the Las Vegas strip resorts it owns, and regional operations. They include the MGM Grand, Bellagio, Aria, New York-New York, and Mandalay Bay hotels and casinos.
Hotel bookings were hit because the company’s website and mobile applications were temporarily offline. Still, bookings in September were 88 per cent of capacity, compared to 98 per cent in the same month last year. It will help bookings, the filing adds, that a Formula 1 race will be held in Las Vegas in November.
The US$10 million in one-time costs from the cyber attack relate to hiring technology consulting services, legal fees, and expenses of other third-party advisors for incident recovery.
Once news stories emphasized how the attack affected hotel guests, the AlphV gang pushed out a statement saying any inconveniences weren’t its fault. MGM Resorts, not the gang, took IT systems offline, it said.