a computer sitting on a desk with highly stylized graphics all around it

What is the MGM cyber attack of 2023?

the bellagio hotel and casino in las vegas, nevada
Photo by Ken Lund

MGM Resorts, one of the largest casino operators in the world, suffered a cyberattack that disrupted its operations and stole customer data for several days in early September 2023 (source). The attack affected some of the most iconic properties on the Las Vegas Strip, such as the Bellagio, the Cosmopolitan and the Mandalay Bay, as well as other MGM resorts across the US. Guests reported issues with slot machines, ATMs, digital key cards, electronic payment systems and online reservations. The company had to resort to using pen and paper for some transactions and waived change and cancellation fees for affected bookings.

The cyberattack was what experts refer to as a “ransomware attack”, meaning that the hackers gained complete control over their computer systems and would not release that control unless the company paid a ransom to the attackers. MGM reportedly refused to pay this ransom (source), which resulted in the company having to pay over 10 million dollars for IT consultants to fix the problem. All told, when you include their loss of sales and lawsuits, MGM is expected to lose more than 100 million dollars due to the attack.

Who cyber attacked MGM?

According to TechCrunch, a hacking group known as Scattered Spider claimed responsibility for the MGM cyberattack. Scattered Spider is believed to be a subgroup of the ALPHV ransomware gang, which has been active since 2020 and targets large organizations with sophisticated malware that encrypts their data and demands payment for its release. Most members of the hacking group have been found to reside in Russia.

Scattered Spider is also suspected of being behind a recent cyberattack on another hotel and casino giant, Caesars Entertainment, which reportedly paid about half of the $30 million ransom demanded by the hackers to prevent the disclosure of stolen data. Caesars confirmed that hackers stole its loyalty program database, which included personal information of millions of customers.

How did Scattered Spider hack MGM?

The logo for the hacking group known as scattered spider, showing a redheaded robot wearing an octopus shirt holding a bunch of cellphones in his arms with telephone poles in the background

The exact details of how Scattered Spider hacked MGM are not yet known, but security researchers have some clues based on the group’s previous attacks. According to Ars Technica, Scattered Spider uses fraudulent phone calls to employees and help desks to “phish” for login credentials. The hackers then use these credentials to access the network and deploy their ransomware.

This technique is known as vishing, or voice phishing, and it relies on social engineering and impersonation skills to trick unsuspecting victims into giving away sensitive information. Scattered Spider has been known to pose as IT staff, vendors or partners of the targeted organization and use spoofed phone numbers to make their calls look legitimate.

Has MGM been hacked before?

Yes, MGM has been hacked before. In 2019, MGM Resorts suffered a data breach that exposed personal information on as many as 10.6 million customers, including celebrities, journalists and government officials. The stolen data included names, phone numbers, email addresses and dates of birth. The hackers later posted the data online for anyone to download (source).

MGM Resorts said at the time that it notified affected customers and offered them free credit monitoring services. The company also said that it had “strengthened and enhanced” its security measures since the 2019 breach.

How were guests affected by the MGM Resorts hack?

a computer worker wearing headphones sitting at a desk with multiple computer montiors all around him with a globe and electricity in the background

Guests were affected by MGM Resorts in various ways, depending on the property they stayed at and the services they used. Some of the common issues reported by guests were:

  • Slot machines and ATMs not working or dispensing cash
  • Digital key cards not opening hotel rooms
  • Electronic payment systems not accepting credit cards
  • Online reservations not available or confirmed
  • TV service and phone lines down in hotel rooms
  • Sportsbooks closed or not taking bets
  • Long queues at check-in desks, restaurants and bars
  • Cash-only transactions at some venues
  • Pen and paper used for some transactions

Some guests expressed frustration and disappointment with the situation, while others were more understanding and sympathetic. Some guests also praised the staff for their professionalism and helpfulness during the outage.

Was any customer info stolen in the 2023 MGM Resorts data hack?

According to a press release from MGM Resorts, the affected information included name, contact information, gender, date of birth, and driver’s license number for some of its customers who used MGM services before March 2019. For a limited number of customers, Social Security number and/or passport number was also affected. The company said it has no evidence that the hackers have used this data to commit identity theft or account fraud. The cyber-attack also caused a $100 million hit to the company’s third-quarter results, as it had to shut down certain systems and restore its operations. The FBI is investigating the breach, which is believed to have started with a social engineering attack on the company’s IT service desk.

What are lawsuits hoping to achieve by suing MGM Resorts?

Remedies in data breach class actions generally include the following types of relief:

  • Reimbursement of fraud losses for consumers who experienced actual identity theft;
  • Reimbursement of indirect out-of-pocket costs incurred, such as credit monitoring fees, credit report fees, or credit freeze fees that consumers spent to protect themselves;
  • Compensation for time spent responding to the breach (for example, $20 per hour for up to five hours); and
  • Free credit monitoring and identity theft insurance for several years beyond the defendant’s initial offer when the breach was first announced.

Defendants also generally agree to make improvements to their data security systems as part of class action settlements. We are seeking these types of remedies in the class action. However, there is no guarantee that these or any other remedies will be achieved in the litigation. Regardless, J&Y Law Firm has a history of successfully holding organizations accountable that do not adequately protect their customers’ data.

What to do if you were affected by the hack?

Right now, at least 10 lawsuits have been filed against MGM Resorts for their role in the data breach. J&Y Law Firm in Los Angeles, CA is one of the firms that is currently suing MGM Resorts and is looking for affected MGM customers to join the class action suit. If you have been affected by the MGM Resorts hack of September 2023, please call J&Y Law Firm right now to learn about how you can join the lawsuit and fight to gain compensation for the incredible risk that you have been exposed to. Please call J&Y Law Firm at (877) 596-6061 to talk to a lawyer right away to begin the process of taking your identity back.