MGM’s computer system targeted by cyberattack
Many of MGM Resorts International’s websites remained down on Tuesday after a cyberattack that began two days earlier.
MGM Resorts, which is the largest casino operator on the Las Vegas Strip, disclosed the breach on Monday. The company took “prompt action to protect our systems and data, including shutting down certain systems,” it said in a statement posted on social media.
A message on one of MGM’s websites Tuesday said the site “is currently unavailable.” The FBI in Las Vegas is aware of the incident and working with MGM Resorts, according to a spokesperson.
A MGM spokesperson said the attack started Sunday night and affected properties companywide, with some slot machines taken offline and staff operating in “manual mode.”
MGM isn’t the first casino and resort to be targeted by hackers. In 2014, Iran waged a cyberattack against Las Vegas Sands Corp. after its chief executive officer and majority owner at the time, Sheldon Adelson, took an aggressive stance in a speech about the country’s nuclear program. The FBI has warned of the rise of threats against both physical and online casinos.
In an emailed statement on Monday, the company said its casino gaming floors were “operational” and said it was working to resolve the outages.
The Las Vegas-based company said it has notified law enforcement and began an investigation with the help of external cybersecurity experts.
The FBI in Las Vegas didn’t respond to an email seeking comment.
Shares of MGM Resorts fell less than 1%, to $42.45, just after noon in New York on Tuesday.
It wasn’t immediately clear who was behind the attack, and many details of the breach weren’t known.
Systems down
A receptionist who answered the phone this week at Mandalay Bay, an MGM property in Las Vegas that hosts the annual Black Hat cybersecurity conference, said guests had been unable to check in for a short time earlier in the day because the hotel couldn’t get into its system. They were now able to check in, said the employee, who declined to provide his name.
Several accounts on the social media platform X provided further details of the fallout from the attack, though the reports couldn’t immediately be substantiated. One, attributed to John Brennan at the handle @qpr01, said he was in the Borgata casino. “All computer systems are down. Slots will not accept tickets, and anyone trying to cash out is getting the Handpay message regardless of amount,” he said in his post on X.
A receptionist who answered the phone at the Borgata confirmed his account, saying she was told when she got into work at 4 p.m. Monday that the office internet had gone down around four hours earlier.
“The system is still down,” she said on Monday evening, adding that slot machines were only taking cash as a result. She said most guests were understanding but that “a couple are angry.”
First clue
Keith Miller, who is from New York City, said the first clue that there was a problem happened on Sunday, when he and his wife used the MGM app for precheck-in. Normally, he said, they would receive a digital key, but that didn’t happen, so they checked in manually when they arrived in Atlantic City.
The next day, Starbucks and other food establishments wouldn’t accept credit cards, and slot machines wouldn’t take pay vouchers, which they spit out to winners to play in other machines or cash out at the window, he said. Casino employees were handwriting vouchers at slot machines, creating long lines at the cashier’s window, he said.
Miller said they had checked in under his name on Sunday and went to switch to check in again on Monday under his wife’s name, but temporarily couldn’t because the systems were down. They finally got into their room about 4:30 p.m. and plan to stay three more nights.
“We haven’t seen any charges on our credit card yet,” he said. “I’m assuming we are going to be able to stay.”
Hacking risks
MGM Resorts was the victim of a July 2019 data breach that exposed the personal information of as many as 10.6 million customers.
Earlier this month, the FBI said a North Korean outfit known as Lazarus Group had hacked Stake.com, an online casino and betting platform, stealing $41 million in virtual currency.
The Nevada Gaming Commission, which regulates the casino industry in the state, this year introduced new cybersecurity regulations that require casinos to evaluate hacking risks and protect information systems. The aim was to set forth the importance for gaming operators to take necessary steps to protect their information systems, the commission said.
Casinos must also inform the Nevada Gaming Control Board of a cyberattack no later than 72 hours of becoming aware of it.