MGM Resorts Receives Colossal Kick to the Nads in Companywide Cyberattack

By Scott Roeben, on September 11 2023
6 min read 9 comments
Las Vegas Las Vegas WTF

MGM Resorts casinos in Las Vegas and beyond are in the throes of a “cybersecurity issue affecting some of the company’s systems.” Which would probably qualify as the understatement of the year.

The “cybersecurity issue” has resulted in a massive cluster, with guests unable to use the digital card keys for their rooms, having to pay cash at casino venues (as credit card systems are unavailable), along with a slew of other headaches, including slot machines, ATMs and the company’s Web site being taken down. Company employees don’t have access to e-mail.

In other words, MGM Resorts is royally scrod.

A.I. thinks lions have furry hands for paws. You try and do better in 30 seconds!

We were the first media outlet to share that something was afoot at MGM Resorts, on Sunday, Sep. 10, 2023 at 7:51 p.m.

Overnight, other incidents were reported, and it became clear MGM Resorts was in full security lockdown mode. This is standard operating procedure when there’s a security breach, to avoid the issue getting worse.

Although, it’s hard to imagine how things could worse, unless it’s all a diversion so the “Ocean’s Eleven” guys can pull a heist.

This is actually good news, because it means those systems weren’t necessarily compromised, they were taken offline as a precautionary measure. (This helps a lot with the process of getting everything back up and running once the issue is resolved.)

Loyalty club databases are the typical target in such attacks.

Here’s the official statement from MGM.

In case you can’t see Tweets for some reason, the statement says, “MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”

You know it’s bad when they don’t even know the “nature and scope of the matter.”

We’re fairly confident the scope of the matter is disastrous and the nature of it is a ransomware attack.

These attacks aren’t uncommon at Las Vegas casinos. They don’t get reported, but we understand a number of casinos have paid ransoms to get their data or systems back.

We were also the first to share that Caesars Entertainment may have been hit with a similar attack last week, although it was never reported at the time.

In the past, these public companies weren’t really obliged to share the fact they’d been attacked, or that they’d paid ransoms, often in the millions of dollars.

That changed recently when the SEC adopted new rules. Public companies now have to report cybersecurity incidents. Anticipate a flood of such reporting, as the number of incidents continues to increase.

It’s unfortunate MGM Resorts is dealing with this FUBAR situation, but it’s not the company’s first digital security debacle.

MGM Resorts had a massive data breach a few years ago. The company admitted to 10.7 million customer records being compromised. Our sources revealed the number was actually 200 million. Lawsuits are ongoing.

Far be it from us to make light of such a terrible situation, but we’re pretty sure this is all the fault of trees. Just a few days ago, the trees in front of Bellagio (operated by MGM Resorts) were chopped down. Murdered in cold sap. Then this happens. Coincidence?

This tree is definitely giving off hacker vibes.

MGM Resorts operates about half the major resorts on the Las Vegas Strip: Aria, Bellagio, Excalibur, Luxor, Mandalay Bay, MGM Grand, New York-New York and Cosmo.

Our sources say things seem fine at Cosmopolitan, probably because their system hasn’t been fully switched over to MGM Resorts. The loyalty club changes over Feb. 1, 2024.

It sounds like most, if not all, of the MGM Resorts-operated casinos in the U.S. have been hit, but Macau is fine. Technically, “Macao Special Administrative Region of the People’s Republic of China.” Don’t freak out. The last MGM Resorts data breach presumably originated in Iran (per our sources), but nobody’s pinned the current mess on anyone yet. China has better things to do with its time than muck with your Buffalo machine, like banning clothing that hurts their feelings and punishing those asshats who knocked down part of the Great Wall. Here’s a fun fact you didn’t know about Macau! The first known written record of the name “Macau” translates as “A Ma Gang.” This will win you a bar bet someday.

Here’s more about the MGM Resorts cybersecurity attack.

As for the current MGM Resorts train wreck, cybersecurity experts are on the case, according to MGM Resorts. Because they clearly did a great job last time.

If everyone could stop clicking on e-mail attachments, that’d be great.

Update (9/13/23): MGM Resorts has issued a statement, basically saying, “Everything’s hunky-dory!” Let’s just say the statement hasn’t aged well.

Guests and media continue to report widespread disruptions at MGM Resorts casinos. Conclusion: The situation is anything but hunky-dory. Please don’t ask us why a major casino company would even use the term “hunky-dory.” If they had. Which they didn’t. But the kids have no clue what that even means!

A better word would’ve been “shitshow.” Pretty much everyone knows what that means.

If you’re looking for the most up-to-date information about the MGM Resorts cyberattack, check Twitter or X or whatever it’s called now. Our Twitter is currently experiencing maximum snark, and you don’t want to miss out on anything.

There were rumors MGM Resorts employees might not get paid on Friday, but the company reached out to say that concern is unfounded.

A humorous moment in an otherwise agonizing situation: A source at Mandalay Bay informed us a guy walked up to the casino cage and gave the cashier a note demanding $40 million to make the cyberattack stop. We were told the man was apprehended. If he was joking, it’s a little like joking about a bomb as you’re going through a TSA checkpoint. Timing is everything.

MGM Resorts’ phone system remains down, leading to this gem we’re hoping is just back-of-house.

Hotel check-in lines continue to be long (some have reported four-hour waits), with front desk personnel taking information via pen and paper. On the bright side, some hotels are offering bottled and snacks to those waiting to check in.

Painful.

MGM Resorts venues are taking it old-school. Please be nice to these front line folks, they’re going through a lot.

The latest rumblings are MGM Resorts may throw in the towel and pay the ransom as Caesars Entertainment did. Caesars avoided MGM Resorts’ disaster by paying $15 million to hackers who had stolen their customer data.

Never a dull moment in Las Vegas.

Update (9/14/23): And now a few words from the hackers.

Update (9/20/23): MGM Resorts says everything is awesome and back to normal. It seems whoever wrote their statement hasn’t visit an MGM Resorts casino recently. While some systems have been restored, guests have shared a number of issues at various resorts.

On the same day MGM Resorts reported all is well, they sent an emergency text to employees. It seems Okta is the vendor whence hacker access came. Expect lawsuits galore.

Okta officials have admitted the “bad actors” (a romantic term for hackers) used their technology as an “access vector,” a fancy term for being up a creek without a paddle.

You can hear us talk about the Caesars Entertainment and MGM Resorts hacks on City Cast, a Las Vegas podcast.

Update (10/5/23): MGM Resorts customers received this message via e-mail.

Shout-out to fast, early responses and face-palming.

MGM Resorts issued this official statement. Highlight: “On or around September 29, 2023, MGM Resorts determined that an unauthorized third party obtained personal information of some of its customers on September 11, 2023. The affected information included name, contact information (such as phone number, email address, and postal address), gender, date of birth, and driver’s license number.  For a limited number of customers, Social Security number and/or passport number was also affected.  The types of impacted information varied by individual. The Company does not believe customer passwords, bank account numbers, or payment card information was affected by this issue. Promptly after learning of this issue, MGM Resorts took steps to protect its systems and data, including shutting down certain systems.  The Company also quickly launched an investigation with the assistance of leading cybersecurity experts and is coordinating with law enforcement.  MGM Resorts takes the security of its systems and data very seriously and has put in place additional safeguards to further protect its systems.”