MGM Resorts International released new details about the cyberattack it suffered in September 2023, including $100 million in lost profits and about $10 million in direct costs. These disclosures include letters filed with the SEC and sent by CEO Bill Hornbuckle to the company's clients.
MGM originally confirmed the attack through a September 12 press release and SEC's data. Few details were provided at the time. It was a short statement that the attack occurred, that MGM had shut down some systems, and that it was working with law enforcement.
The new statements are longer and more revealing about the attacks. There is also information confirming details revealed by ALPV, a group of hackers claiming responsibility for the attack, as well as reasoning based on the revelations of Caesars, which was similarly attacked.
This includes the following information:
The attack was intended to steal data from MGM customers and was partly successfulStolen data includes personal information such as name, contact information, date of birth and driver's license number, and in some cases, social security number or passport information.As MGM takes its own systems offline to protect more sensitive customer data, the apparent disruption will be most likely.According to MGM, none of the stolen data were passwords, financial information, or payment card numbers.MGM is also providing free fraud protection to affected customers, succeeding Caesars. Those who wish to join the service or have questions about the breach can call the dedicated hotline at 1-800-621-9437.
BetMGM-Era customers are not affected
One of the key new facts MGM has revealed is that all the affected data belongs to customers who were in the system before March 2019.
Specifically, the contract with BetMGM, which launched in September 2019, does not include people who are only in the MGM Rewards database.
This tends to support BetMGM's claim that account login issues experienced by users on October 1 were unrelated to MGM data leaks (but many BetMGM users may have already been in the database for other reasons before MGM began).
Retail customers who visited MGM buildings before March 2019 may have compromised their data. The same may be true of anyone who has used BetMGM's New Jersey precursor. Borgata Online and PlayMGM were both directly operated by MGM prior to their joint venture with Entain. 슬롯
MGM expects insurers to make up for losses
While MGM customers are nervous about their data, investors have been worried about the financial impact of the attack.
The company's shares (MGM Resorts International 37,39 +0,56%) hit their lowest level since early January, from $42.70 on September 11 to $34.79 on October 5.
There are two big questions about the attack and its aftermath:
How much did MGM's sales decline during the suspension due to cancellations and guest compensation?Does your company's cybersecurity insurance cover some or all of your losses?One analyst estimated daily losses of between $4.2 million and $8.4 million. This might have been a little low. MGM said it mitigated the worst impact of system outages 10 days later, but estimated total losses at about $100 million.
Room occupancy was 88%, down 5 percentage points from 93% in the same period of 2022, but it said it has now recovered to 93%, almost the same as last year's 94%.
MGM says in addition to lost revenue, it has spent "less than $10 million" on third-party help to deal with the attack. This included technical consulting and legal costs, among other services. The company believes its insurance will be sufficient to cover all these costs. However, the full extent of the impact has not yet been determined.
Another unknown is the result of class action targeted by MGM and Caesars for data breaches. Now the total is 10 and it's being tallied.
Despite those lawsuits, MGM's news appears to have been well received by investors. MGM shares have rallied 5% since the opening bell this morning. If that holds, it will be the best performance in the day since the attack became known.