MGM Target of FTC Investigation Following 2023 Hack

Posted on: April 11, 2024, 12:56h. 

Last updated on: April 11, 2024, 09:50h.

The fallout from the 2023 cybersecurity breach that wrought havoc on MGM Resorts International’s domestic operations continues as the Federal Trade Commission (FTC) is investigating the casino giant’s response to the hack.

FTC Chairwoman Lina Khan. The commission is probing MGM related to a 2023 cybersecurity incident. (Image: CNN)

In January, the FTC issued a Civil Investigative Demand (CID) to the Las Vegas-based gaming company, requesting scores of data and documents relating to the incident. The following month, MGM filed a motion to quash the CID.

The CID calls for the production of more than one hundred different categories of information, spans multiple years with no relevance to the attack, and, perhaps most problematic of all, represents an unprecedented attempt by Staff to invoke the Safe Guards Rule and the Red Flags Rule, which do not apply to MGM’s operations. For these reasons, and despite MGM’s attempts to informally resolve these issues with Staff, MGM was left with no choice but to file this Petition to Quash or Limit,” according to legal filing by the gaming company.

A September 2023 cyberbreach engineered by a group of domestic and foreign hackers known as “Scattered Spider” cost the Bellagio operator $100 million in third-quarter third-quarter earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs (EBITDAR), and $10 million in one-off legal and other expenses.

Rival Caesars Entertainment paid Scattered Spider $15 million to end a separate cybersecurity incident. MGM complied with FBI guidelines in not compensating the bad actors.

Bad Luck for MGM

In a cruel twist of fate for MGM, FTC Chairwoman Lina Khan and several staffers attempted to check into the MGM Grand on the Las Vegas Strip last September while the gaming company was in the midst of grappling with the cyberintrusion.

News reports indicated Khan and more than 40 other guests were forced to jot their credit card numbers down on pieces of paper to provide to front-desk employees at the casino hotel. Reportedly, that sparked a query by Khan to an MGM Grand staffer regarding what the company was doing to protect customer data.

It’s unlikely that the interaction was the impetus for the commission investigating MGM’s response to the hack and while the gaming company asserts that the FTC leveraging safeguard and red flag rules exceeds the commission’s authority, the gaming company could have other matters to contend with.

Namely, the FTC could leverage MGM’s reputation for slack cyber defenses prior to the hack against it. Last September, Boston-based BitSight, a cybersecurity ratings and analytics company, graded MGM’s patching cadence with an “F.” Patching cadence is the speed at which an organization addresses known cyberissues and vulnerabilities.

The Cosmopolitan operator also suffered a cyberattack in 2019 in which eight gigabytes of customer data were stolen and posted on a messaging platform in 2022.

MGM Says it’s a Victim, CID Places it in Bad Spot

In its filing to quash the CID, MGM said it’s the victim of a crime “with an intense and legitimate interest” in seeing the alleged perpetrators brought to justice.

The company added that it’s been fully cooperating with law enforcement and that the FTC’s CID request includes a demand for criminal information that could jeopardize criminal investigations. MGM believes that request was intentional by the FTC.

“Indeed, during the parties’ meet and confer on February 6, 2024, Staff requested that MGM prioritize the production of information provided to law enforcement agencies, and expressly requested that MGM produce any information MGM previously provided to the Federal Bureau of Investigation (“FBI”) as quickly as possible. Staff’s attempt to obtain this material should be quashed, at least until the conclusion of the relevant prosecutions,” according to the MGM legal document.