Hospitality and entertainment giant MGM Resorts said costs from last month’s debilitating ransomware infection have exceeded $110 million, including $10 million in one-time consulting clean-up fees.
In an SEC 8-K filing, MGM Resorts said the data-extortion attack caused operational disruptions, especially in its Las Vegas properties, and an estimated financial toll that includes about $100 million in lost revenue.
MGM Resorts, which manages prominent hotels like Mandalay Bay (site of the Black Hat security conference), Bellagio, MGM Grand, Aria, Luxor and the Cosmopolitan, said it also shelled out $10 million for technology consulting services, legal fees and expenses of other third party advisors.
The company confirmed “disruptions” at some of its properties but said the breach did not cause the loss of any customer bank account numbers or payment card details.
However, MGM Resorts said the hackers stole personal information (including name, contact information (phone number, email address and postal address), gender, date of birth and driver’s license numbers).
“For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors,” the company added.
“The types of impacted information varied by individual. At this time, [we] do not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors. In addition, the Company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data,” MGM Resorts added.
A known ransomware gang called Scattered Spider has taken credit for the September hack that impacted MGM’s website, casinos, and systems used for email, restaurant reservations, and hotel bookings, and even digital hotel room keys.
Scattered Spider, according to published reports, also hacked casino giant Caesars Entertainment and collected millions in data extortion ransom payments.