On Wednesday, September 20, MGM Resorts International announced on its X social media account that full operations have been restored across its nationwide casino properties.
The announcement came 10 days after a cyberattack disrupted reservation systems, front-desk operations, POS payment systems and digital room keys at many of its properties nationwide, as well as causing the shutdown of many slot machines. The company’s website also was affected.
The cyberattack necessitated emergency measures including manual, handwritten check-in, and physical keys to replace digital room keys that did not function at many of MGM’s hotels.
The disruptions continued throughout the week as systems gradually came back online.
“We are pleased that all of our casinos, hotels, dining, entertainment, and resort services are operating normally, and are welcoming thousands of guests each day,” the company said on its X account. “Our amazing employees are ready to help guests with any intermittent issues. We thank you for your patience and look forward to welcoming you soon.
“Please note that Slot Dollars and FREEPLAY are available at all properties. MGM Rewards members’ accounts will be adjusted to reflect Tier Credits and MGM Rewards points at a later date. MGM Rewards points redemption and certain promotional offers may be unavailable. Please see the MGM Rewards desk or your casino host for more details.”
Analysts say the financial losses for the company likely will total between $4.2 million and $8.4 million a day in revenue, and around $1 million per day in cash flow.
JMP Securities gaming analyst Jordan Bender wrote in a research note that its insurance technology team calculated that a ransom to hackers cost between $30 million and $50 million. A previous note by Jeffries analyst David Katz put daily revenue losses between 10 percent and 20 percent.
Bender wrote in his note that MGM’s losses could be covered by a $200 million cyber insurance policy covering ransom payments and business interruption. MGM has not acknowledged the incident was a ransomware attack, nor that the company paid a ransom to hackers to restore operations.
Bender wrote in his note that the insurance would cover up to four weeks of losses if a ransom payment had been made.
“If the breach is fully covered within the policy, MGM will incur minimal costs along the way, and see insurance premiums go up, but it would amount to a drop in the bucket for a company generating $4.7 billion of (cash flow) this year,” Bender wrote.
Caesars Entertainment said in a filing with the Securities and Exchange Commission (SEC) that it had also experienced a cyberattack, on September 7, noting that while operations were not affected, it could not guarantee the personal information in its 65 million-member Caesars Rewards database—including Social Security numbers—was secure, saying personal data may have been breached “for a significant number of members in the database.”
In an 8K filing with the SEC, the company said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
While that indicates a ransomware attack, Caesars, like MGM, has not stated publicly that a ransom had been paid.
Bender said in his note that while several gaming and leisure companies have been hacked recently in cyberattacks, the long—term effects are minimal.
“Historical precedent has shown past hacks of credit cards and personal information within this space have not materially impacted long-term revenue, and in turn, companies saw a recovery in the stock price,” Bender wrote.
