MGM Resorts International properties across the U.S. are still struggling to recover from a far-reaching cyberattack that shut down reservation systems, digital room keys, credit payments and even the functioning of company websites.
Guests at the MGM Grand, Bellagio and other MGM properties were forced to go through a manual check-in system that involved clerks writing down their credit card numbers for future payment of their hotel bills. Digital key cards did not work in many cases, so getting guests into their rooms was a problem—although no definitive report has been made on how guest room entry was achieved, one report said physical keys were issued to guests.
POS payment systems at restaurants, gift shops, bars and other retail outlets also were shut down, forcing a temporary cash-only policy for food and beverage. On the slot floors, numerous machines were reportedly shut down.
Evidently, the problems began over the weekend of September 9-10. A statement issued by MGM on Monday, September 11, stopped short of calling the event a cyberattack, claiming only that a “cybersecurity issue” had arisen.
“MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems,” said the statement, delivered from a Gmail address because company email was down. “Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
Late Monday evening, the operator issued a second statement: “Our resorts, including dining, entertainment and gaming, are currently operational, and continue to deliver the experiences for which MGM is known… Our guests remain able to access their hotel rooms and our front desk staff is ready to assist our guests as needed. We appreciate your patience.”
As of Thursday, however, many of the I.T. systems were still inoperable. MGM was still asking guests to call the individual properties to make reservations, as the online reservation system was still down.
According to a report in the Las Vegas Review-Journal, MGM had an emergency system in place under which guests could still check in through the front desks, and would be issued a physical key if their digital keys were inoperable. Dining reservations were open by calling the restaurants directly, or contacting a concierge.
The incident marked the second cybersecurity issue involving MGM in four years. In February 2020, MGM affirmed that its cloud server had been hacked in the summer of 2019 with information including some guests’ driver’s license and passport information stolen.
Tourists interviewed by the Review-Journal reported they needed security officials to let them into their rooms with physical keys, that the in-room televisions were inoperable, and that many of the gaming machines were inoperable or not working properly.
Fox 5 Las Vegas reported on Monday that all computer-based operations at Bellagio were being done manually and that credit cards were not functioning, making operations cash-only. Gambling writer David Danzis in Atlantic City confirmed the issue was also affecting Borgata, and a guest at MGM Grand Detroit reported the same issues with credit card machines, suggesting that the issues are happening at MGM casinos nationwide.
As MGM still was struggling to get its systems back online Thursday, the other major Las Vegas Strip operator, Caesars Entertainment, reported its own cyberattack to the federal Securities and Exchange Commission (SEC).
Caesars reported that a cyberattack occurred on September 7, and that while none of the operator’s systems or games were affected, it could not guarantee the personal information in its 65 million-member Caesars Rewards database—including social security numbers—was secure.
In the filing, Caesars confirmed that sensitive data may have been breached “for a significant number of members in the database.” It also suggested a ransomware attack.
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” the filing said. “The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the filing said.
Brett Callow, threat analyst for the New Zealand-based cybersecurity firm Emsisoft, told ABC that it was not clear if a ransom was paid or who was responsible for either attack, but that “unofficially, we saw a group called Scattered Spider claimed responsibility. They appear to be native English speakers under the umbrella of a Russia-based operation called ALPHV or BlackCat.”
An affiliate of the BlackCat ransomware group, APLHV, also claimed responsibility for the MGM attack, according to the news site BleepingComputer.com. While BleepingComputer could not confirm if that was true, it reported that BlackCat/ALPHV had confirmed that one of its affiliates carried out the attack.