Cyber Incident Victim: MGM Resorts International

On or around September 10, 2023, MGM Resorts International began experiencing a significant cybersecurity incident that prompted a widespread shutdown of its information technology systems. The company publicly disclosed the issue on September 11, announcing via its profile on the social media platform X that it had recently identified a cybersecurity problem affecting some of its systems. Upon detection, MGM Resorts immediately initiated an investigation and took prompt action to protect its systems and data, which included the decisive step of shutting down certain systems entirely. The outage reportedly commenced on Sunday night, and as a result, computer systems across the company's numerous resorts were rendered inoperable for a sustained period. The nature of the cybersecurity incident was not publicly disclosed by the company at the time, and the specific motives or objectives of the attackers remained unknown, leaving the scope and intent of the operation unclear to outside observers.

The impact of the system shutdown was extensive and multifaceted, affecting both digital and physical operations across MGM's properties. The company's main website, mgmresorts.com, was taken offline, along with all other websites sharing the same domain name. Visitors to these sites were met with a message instructing them to call a provided phone number for assistance with hotel reservations and other services. This digital blackout extended to various regional properties, including MGM National Harbor, Empire City Casino, MGM Springfield, MGM Grand Detroit, Beau Rivage, and The Borgata, all of which displayed the same unavailable notice. The inability to make online reservations significantly disrupted the customer experience, forcing the company to revert to manual, telephone-based booking processes. Furthermore, the MGM Rewards application, crucial for customer loyalty programs, ceased to function, with affected members being advised to seek help directly at hotel front desks. It was noted that not all MGM applications were affected; the MGM+ app and the MGM sportsbook app continued to operate normally, indicating a targeted or partial impact on the company's digital infrastructure.

Within the physical casinos and hotels, the effects of the cyber incident were equally pronounced and disruptive. Critical in-casino services, such as automated teller machines (ATMs), credit card processing machines, and slot machines, were severely impacted. Reports from guests and local media, including the Las Vegas outlet Vital Vegas, confirmed that slot machines were non-functional, displaying messages indicating they were temporarily unavailable. This disruption to gaming operations represented a direct hit to the company's core revenue-generating activities. Additionally, guests encountered problems with their room keys, which were reported to be non-operational, creating further inconveniences and potential security concerns. The company was forced to switch to manual operations to maintain basic service levels, a clear indication of the severity of the IT outage and the extent to which the organization relied on its now-compromised automated systems. The shift to manual processes likely placed a significant strain on staff and resources, impacting the overall guest experience and operational efficiency.

The company's response to the incident was characterized by a proactive and cautious approach, prioritizing system integrity and data protection above operational continuity. By choosing to shut down affected systems, MGM Resorts aimed to contain the threat and prevent further unauthorized access or potential data exfiltration. This decision, while causing widespread operational disruption, underscored the seriousness with which the company treated the cybersecurity threat. Customer communication was channeled through the outage messages on its websites and via its social media announcement, directing guests to call specific phone numbers for reservations and member services. For MGM Rewards members, a dedicated Member Services phone line was provided, with operating hours between 6 AM and 11 PM Pacific Time. This incident marked the second major cybersecurity event publicly acknowledged by MGM Resorts in recent years, following a breach in 2019 that was confirmed in 2020. The previous incident involved a breach of a company cloud service, which resulted in hackers stealing a vast archive of customer records, including personal details such as names, dates of birth, email addresses, phone numbers, and physical addresses; this stolen data was later shared freely on a hacker forum. The recurrence of a significant cybersecurity event highlighted the persistent threats facing large hospitality and entertainment corporations. The full extent of the 2023 incident, including whether any customer or corporate data was accessed or stolen, remained undetermined at the time of reporting, as the investigation was still ongoing. The company's actions reflected a focus on securing its network and assessing the damage before restoring full services, a process that undoubtedly involved cybersecurity experts and law enforcement agencies. The prolonged downtime of critical IT infrastructure suggested a complex recovery process, potentially requiring system repairs, security patches, and thorough forensic analysis to understand the attack vector and prevent future occurrences.