MGM Sues FTC Over Scattered Spider Hack Probe, Demands Khan Recuse Herself

Posted on: April 15, 2024, 04:08h. 

Last updated on: April 16, 2024, 09:19h.

Todd Shriber @etfgodfather Read More

Expertise: Financial, Gaming Business, Mergers and Acquisitions.

MGM Resorts International (NYSE: MGM) sued the Federal Trade Commission (FTC) on Monday regarding the agency’s probe into a 2023 cybersecurity breach that plagued the casino giant. The gaming company is also demanding that FTC Chairwoman Lina Khan recuse herself from the case due to potential conflicts of interest.

Last September, MGM suffered a roughly week-long outage of its internal cybersecurity and data systems following a hack carried out by the notorious “Scattered Spider” group, a gang of domestic and foreign hackers known for wreaking havoc on companies and governments. The gaming company didn’t pay data thieves to relent, but it did incur a $100 million hit to its third-quarter earnings and $10 million in one-time expenses related to the incident.

MGM is also requesting that Khan recuse herself from the case because she and several FTC employees were guests of MGM Grand on the Las Vegas Strip. Reportedly, Khan and her staffers were asked by an employee of the venue to jot their credit card numbers down on pieces of paper, prompting a query from the FTC chair about what the venue was doing to safeguard customer data.

In court documents filed Monday, MGM argued Khan is a potential witness and her participation in the case from an enforcement standpoint creates potential conflicts of interest.

MGM Says FTC Request Flawed

In addition to demanding Khan’s recusal, MGM argued that its Fifth Amendment rights were violated by the FTC’s CID request and that the commission is applying statutes that have never been used with a gaming company.

The Bellagio operator noted the commission is seeking to leverage the “Red Flags Rule” and the “Safeguards Rule,” which apply to financial services companies and other corporations that extend credit. MGM argued that markers for chips extended to guests are not equivalent to the issuance of credit, and that markers aren’t covered by the Red Flag and Safeguards protocols.

FTC’s purported legal justification for the CID is two financial services regulations, both of which are facially inapplicable to MGM. On this basis, and a catchall invocation of Section 5 of the FTC Act, the FTC seeks to compel MGM to produce more than 100 categories of information,” according to the MGM filing.”

MGM added that Khan’s refusal to recuse herself from the case, and the commission’s refusal to force her to do so despite her being a guest of MGM Grand during the data breach, violates its Fifth Amendment rights. The gaming company also claimed that Khan participated in the hearing pertaining to her participation in the case against MGM.

MGM Willing to Cooperate … Sort Of

MGM is showing some willingness to cooperate with the FTC probe, despite the commission’s request for a slew of data and documents that could take weeks to compile. The company asked the US District Court for the District of Colombia to give it more time to comply or force the FTC to abandon the CID request.

“The FTC’s investigative authority is not limitless. It may only conduct investigations pursuant to specific statutory grants of authority,” said MGM in the legal document. “The CID to MGM was premised in large part on facially inapplicable rules without any attempt to delineate which portions of the CID relate to which purported sources of authority.”