If you had planned on staying at one of MGM’s Las Vegas locations in the coming weeks, there is some good news: The casino and resort operator has managed to restore functionality to its customer-facing electronic systems, following a cyberattack against MGM’s systems that lasted 10 days.
On Sept. 10, MGM Resorts first became aware of the data breach, which affected everything from casino and hotel computer systems across its Aria, Bellagio, and MGM Grand locations, to the company’s corporate email, restaurant reservation, hotel booking, and digital key card access.
Despite the company’s announcement on X, formerly Twitter, on Thursday that operations had returned to normal, a number of users still reported issues with its mobile app. MGM said it was still working on fixing “those channels.”
Rival casino owner Caesars Entertainment also disclosed last week to federal regulators that it was hit by a cyberattack Sept. 7. It said that its casino and online operations were not disrupted but it could not guarantee that personal information about tens of millions of customers, including driver’s licenses and Social Security numbers of loyalty rewards members, had not been compromised.
Details about the extent of the MGM breach were not immediately disclosed, including the kind of information that may have been compromised and how much it cost the company.
Gregory Moody, professor and director of the cybersecurity program at the University of Nevada, Las Vegas, pointed to quoted estimates that the computer shutdown cost the company up to $8 million per day, which could put the cumulative effect at $80 million. But Moody also noted that MGM Resorts reports annual revenues above $14 billion, which would mean it averages at least $270 million in revenues per week.
The company reported Wednesday that systems handling resort services, dining, entertainment, pools and spas were operational and its website and app were taking dining and spa reservations while the company worked to restore hotel booking and loyalty reward functions.
Experts said the attacks exposed critical cybersecurity weaknesses at MGM and Caesars and shattered an image of casino invulnerability.
“At this point, all casinos should be moving to the highest defensive posture possible and taking active measures to verify the integrity of their systems and environment, and reviewing — if not activating — their incident response processes,” said Christopher Budd, a director of threat research at cybersecurity firm Sophos X-Ops. “There’s been attacks against multiple casinos, and it’s possible we’ll see more.”