MGM Didn’t Pay Hackers, Suffered Financial Consequences

Posted on: October 6, 2023, 03:22h. 

Last updated on: October 7, 2023, 12:42h.

MGM Resorts International (NYSE: MGM) reportedly refused the hackers that recently executed a ransomware attack on its US operations and will suffer a significant reduction in third-quarter earnings as a result.

MGM hackers
Bellagio on the Las Vegas Strip. Operator MGM didn’t pay a recent ransomware demand. (Image: YouTube)

On Thursday, the Bellagio operator warned investors its third-quarter earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs (EBITDAR) will be reduced by $100 million due to the attack, which lasted at least 10 days. MGM also said it faces $10 million in one-time expenses attributable to the data breach.

That $100 million likely would have been significantly lower and covered by insurance had MGM opted to pay “Scattered Spider.” Still, sources close to the matter told the Wall Street Journal the casino giant chose not to meet the ransom demand.

That’s a departure from rival Caesars Entertainment (NASDAQ: CZR) when confronted by a ransomware attack executed by the same group. The Harrah’s operator paid $15 million of the $30 million Scattered Spider wanted and didn’t deal with operational chaos like MGM.

MGM Followed FBI Guidelines

Much as the US government claims to not negotiate with the terrorists, the FBI encourages victims of ransomware attacks to not meet the demands of the threat actors.

The FBI does not support paying a ransom in response to a ransomware attack,” according to the federal law enforcement agency. “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

Apparently, MGM took that advice, but many other companies, including Caesars, that are hit by ransomware attacks do not. As a result, the bad actors are emboldened because they believe the odds are short they’ll be paid. Thus, the frequency of these breaches is increasing.

“The best way to avoid being exposed to ransomware—or any type of malware—is to be a cautious and conscientious computer user,” the FBI added. “Malware distributors have gotten increasingly savvy, and you need to be careful about what you download and click on.”

What’s Next for MGM

Following the attack, MGM rebuilt its cybersecurity systems and bolstered related defenses. That’s a step in the right direction, but the damage is done, and some investors might argue that MGM should have played ball with Scattered Spider and paid them to go away.

The math favors that argument. After all, MGM’s $100 million hit to third-quarter earnings is significantly larger than the $15 million a Caesars insurance carrier paid out.

It is, however, a complex situation. In the month following the attack, shares of MGM tumbled roughly 20%, but the stock surged 4.86% on above-average volume, perhaps spurred by the news the company didn’t comply with the ransom demand.