MGM Resorts International anticipates taking a $100 million financial hit in the aftermath of a cyberattack that primarily affected its Las Vegas operations.
The company initially acknowledged the cyberattack in a press release last month but provided further details in a recent regulatory filing. MGM stated that it "shut down its systems to mitigate risk to customer information, which resulted in disruptions at some of the company's properties but allowed the company to prevent the criminal actors from accessing any customer bank account numbers or payment card information."
As a result of the attack, MGM confirmed that certain personal information had been compromised for business conducted before March 2019. This information includes names, phone numbers, email and postal addresses, genders, dates of birth, and driver's license numbers. A limited number of customers also had their Social Security numbers and passport numbers accessed.
MGM acknowledged that the cyberattack will negatively impact its third-quarter results but expects a minimal impact during the fourth quarter. However, it does not believe the incident will have a material effect on its overall financial condition and results of operations for the year.
The company disclosed that it incurred less than $10 million in one-time expenses related to the cyberattack. These expenses include technology consulting services, legal fees, and expenses for other third-party advisers. While MGM believes its cybersecurity insurance will cover losses due to operational disruptions, it acknowledges that the full extent of the impact is yet to be determined.
Although the company believes the breach is contained, it is continuing to engage third-party experts to further enhance its cybersecurity defenses.
MGM is not the only gaming company dealing with the aftermath of a data breach. Last month, Caesars Entertainment disclosed that an unauthorized actor had accessed its loyalty program database, which included driver's license numbers and/or Social Security numbers. Caesars reportedly paid approximately half of a $30 million ransom demand, while MGM opted not to pay.
This incident highlights the increasing scrutiny of company breach disclosures, especially with the approaching compliance date of the Securities and Exchange Commission's rule, which requires material cybersecurity incidents to be disclosed within four business days.
By fLEXI tEAM