MGM Resorts International and Caesars Entertainment Inc. recently provided updates regarding the cyberattacks they experienced. However, these hotel and casino operators left some stakeholders wanting more information.
MGM Resorts filed an 8-K form with the Securities and Exchange Commission on Tuesday, acknowledging that the cyberattack poses a significant risk to the company. The attack has resulted in the shutdown of MGM's website and has impacted various aspects, including credit-card transactions, digital hotel-room keys, slot machines, and sports-betting kiosks.
Following the detection of the issue, MGM Resorts initiated an investigation with the help of leading external cybersecurity experts. Law enforcement has been notified, and steps are being taken to safeguard systems and data by shutting down certain operations.
Although an update on the current impact was not provided, MGM's main website remained offline. The company, however, empathized with travelers whose plans have been affected by offering waived change and cancellation fees for hotel reservations scheduled between September 13-17, 2023.
According to the Wall Street Journal, MGM Resorts resorted to backup protocols this week, manually checking in guests using pen and paper and handling slot-machine wins through manual payouts.
Moody's Investors Service cautioned that this attack could have a negative impact on MGM's credit. The rating agency emphasized the risks associated with the heavy reliance on technology within MGM's business operations and the operational disruption caused when systems go offline or become inoperable.
On social media, users expressed their frustration with MGM's lack of information in their recent update.
Caesars Discloses "Suspicious Activity" in IT Network
Caesars has recently revealed that it detected "suspicious activity" in its information-technology network. The company disclosed that the incident was a result of a "social engineering attack" on one of its outsourced IT support vendors.
Potential Data Breach
During the attack, the cyberattacker managed to obtain a copy of Caesars' loyalty-program database. This database contains sensitive information such as driver’s license numbers and Social Security numbers belonging to a significant number of program members. Although the company claims to have taken steps to delete the stolen data, they cannot guarantee complete eradication.
In response to the incident, Caesars has incurred and may continue to incur expenses related to addressing the attack. These expenses include costs for response, remediation, and investigation.
Caesars' Response to Demands
According to reports from the Wall Street Journal, Caesars paid approximately half of the $30 million demanded by the attackers. However, the company has not provided further information regarding the details of the attack or the safety of its systems.
Regulatory Requirements and Cybersecurity Measures
Caesars' disclosure coincides with the impending implementation of a new SEC rule set to take effect in December. This rule will mandate that companies disclose any hacks deemed material to their business within four days. The Nevada Gaming Commission already requires casinos, including MGM and Caesars, to report cyberattacks within 72 hours and undertake measures to safeguard their systems, including regular cybersecurity assessments.
While MGM's stock remained unchanged, Caesars' stock saw a slight increase of 0.2% following the disclosure. However, both companies have experienced declines in stock value over the week. The broader market, represented by the S&P 500 index, has seen a 0.6% increase during the same period.