MGM Resorts reveals expected $100m Q3 hit from Las Vegas cyberattack

MGM Resorts has confirmed a $100m negative impact to its Q3 adjusted property EBITDA in its Las Vegas Strip resorts and regional casino divisions, arising from the September cyberattack.

Making the disclosure in a form 8-K filing to the Securities and Exchange Commission (SEC), the operator confirmed the attack will have “minimal impact” on its Q4 financial results and will not have a material impact on its finances and operational results during 2023.

MGM also revealed a less than <$10m one-time Q3 expense related to the cybersecurity issues, consisting of engaging technology consulting services and paying legal fees and expenses of other third-party advisors.

“While the company experienced impacts to occupancy due to the availability of bookings through the company’s website and mobile applications, it was mostly contained to the month of September, which was 88% [occupancy] (compared to 93% in the prior year period),” MGM said in the filing.

“The company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1,” it added.

MGM Resorts was hit by a cyberattack on September 10, with the breach having a significantly detrimental effect on the firm’s operations, most notably in Las Vegas where thousands of resort visitors were affected.

The initial hack saw customer reservations, on-site cash withdrawals, and slot machines on casino floors unusable at up to 30 MGM Resorts venues.

On September 21, MGM Resorts confirmed its return to full operations. Hacker collective ALPHV/BlackCat took responsibility for the hack, although this has yet to be confirmed by the operator.

Information taken by the hackers included customer name, contact information (such as phone number, email address, and postal address), gender, date of birth, and driver’s license number.

MGM has admitted that customers engaging transactions with the company before March 2019 are among those to have this information taken by hackers.

For a limited number of customers, social security and/or passport numbers information was also taken, however the types of impacted information varied by individual.

The operator has said that customer passwords, bank account number or payment card information was unaffected by the hack.

“Based on the ongoing investigation, the company believes that the unauthorized third-party activity is contained at this time,” MGM said in the SEC filing.

“While no company can ever eliminate the risk of a cyberattack, the company has taken significant measures, working with industry-leading third-party experts to further enhance its system safeguards. These efforts are ongoing,” the company added.

MGM has expressed its belief that its cybersecurity insurance policy will be sufficient to cover the financial impacts arising from both operational disruptions and additional expenditure, although the full costs have yet to be determined.

Media reports have estimated the MGM cybersecurity insurance policy to be as high as $200m, however this has not been confirmed by the operator.