MGM Resorts International has been saying its hotels and casinos are “operational” following a cyberattack over the weekend that appeared to take down everything from payment systems to sportsbooks.
(Bloomberg) — MGM Resorts International has been saying its hotels and casinos are “operational” following a cyberattack over the weekend that appeared to take down everything from payment systems to sportsbooks.
Some of its patrons begged to differ.
Scanning a largely empty casino floor at the MGM Grand in Las Vegas on Tuesday, Marina Lopez said the hack has been a hassle. Restaurants were only taking cash, as was the poolside bar: She had to pay cash for a margarita the previous day. An even bigger annoyance greeted guests eager to try their hand at the slot machines. Many one-armed bandits, she said, weren’t working.
“People came to play, they couldn’t play and they left,” said Lopez, a hotel guest from Santa Cruz, California.
Days after the cyberattack on Las Vegas-based MGM, the fallout at its properties along the city’s famous strip varied from casino to casino. Sportsbooks were closed at the Cosmopolitan and MGM Grand. Several guests faced long waits to check in because staff was doing everything by hand, jotting down credit-card information on clipboards. Slot-machine attendants cashed out players the same way.
Many of the websites to MGM’s resorts, including the ones used to make reservations, remained down on Wednesday morning. The company was referring customers to third-party websites to make bookings.
“Our investigation is ongoing, and we are working diligently to resolve the matter,” MGM said in a statement Tuesday. “The company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
Shares of MGM were down less than 1% on Wednesday morning in New York, after dropping 4% over the previous two days.
Moody’s Investors Service published a report Wednesday describing the cyberattack as credit negative for MGM Resorts, saying it “highlights key risks related to business operations’ heavy reliance on technology and the operational disruption caused when systems need go offline or are inoperable.” Additional risks include potential revenue losses while systems were down, reputational risk and any direct costs related to investigation and remediation, according to Moody’s.
The report also notes that BitSight, a cybersecurity ratings and analytics company, most recently scored MGM an F for its patching cadence, the speed an organization remediates exposure to known vulnerabilities. MGM didn’t immediately respond to a request for comment on BitSight’s grade.
In Las Vegas on Tuesday, more than half of the guests interviewed at the Cosmopolitan and the Bellagio, which seemed largely unaffected, weren’t aware of the hack. By midday Tuesday, credit cards were being accepted in at least some of MGM’s resorts.
Details of the attack remain scant, including who was behind it, their possible motive and the type of information the hackers may have obtained. The FBI office in Las Vegas was aware of the attack and assisting, an agency spokesperson said. MGM was also the victim of a 2019 data breach that exposed personal information on as many as 10.6 million customers.
MGM shut certain systems after discovering the attack over the weekend and began an investigation with the help of external cybersecurity experts, according to a statement posted on social media. By Monday evening, MGM was saying its resorts, including dining, entertainment and gaming, were “currently operational.”
Clearly not without some snags.
A waiter at the Cosmopolitan, who asked not to be identified, said credit-card payments were working, but online orders and communications between properties remained down.
Traffic at the MGM Grand was noticeably light. A number of slot machines weren’t functioning, and an ATM machine wasn’t providing cash advances.
(Updates with statement from company in seventh paragraph and insights from Moody’s starting in ninth paragraph)
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.