MGM Resorts, the renowned casino and lodging operator, grappled with an “ongoing” cybersecurity issue that prompted the shutdown of several computer systems, including its website. The company took swift action to address the situation, acknowledging the significant impact on various aspects of its operations, such as reservation systems, booking systems, hotel electronic key card systems, casino floors, and email systems.
Profound Impact on Operations
The initial shutdown had a profound impact on MGM’s business, affecting critical systems responsible for managing reservations, hotel rooms, and restaurant bookings. Despite some progress in restoring functionality, critical components like reservation and booking systems remained offline even more than a day after the incident surfaced. MGM Resorts manages thousands of hotel rooms, and the revenue generated from its hotel rooms in Las Vegas surpasses that from its casino operations, as reported in SEC filings.
Swift Response and Investigation
MGM Resorts promptly initiated an investigation into the incident, enlisting the support of leading external cybersecurity experts. They also cooperated with law enforcement agencies and took decisive measures to safeguard their systems and data, which included shutting down certain systems. The FBI confirmed its awareness of the ongoing incident but provided no further details.
Market Impact and Website Replacement
MGM’s response to the incident had a noticeable impact on its shares, with a 2.4% decline in share prices on Monday. The company’s website was temporarily replaced by a landing page instructing patrons to contact hotels or casinos directly via phone. The exact start time of the outage remains unclear, though some social media users reported issues as early as Sunday night.
Previous Cybersecurity Incidents
MGM Resorts has encountered cybersecurity incidents in the past. In 2020, personal details of over 10 million MGM visitors were exposed on a hacking forum. The data breach had occurred in the summer of 2019, as acknowledged by the company at the time.
Government Response and Critical Infrastructure
The scope of the government’s response, beyond FBI involvement, remains uncertain. The government has recognized the “commercial facilities sector,” encompassing gaming and lodging, as part of critical infrastructure since 2003. Such recognition underscores the potential disruptions, data privacy concerns, and legal and economic burdens associated with cyberattacks in this sector, as highlighted by the Department of Homeland Security in a 2015 sector-specific plan.