MGM Resorts racks up $100M cost from cyberattack

Hackers targeted MGM Resorts in September

MGM Resorts International has revealed the cost of its disruptive cyberattack from September.

The third-quarter cyberattack, which MGM Resorts revealed last month and said has since been contained, will cost $100 million, and the losses will appear in the adjusted property EBITDAR for its Las Vegas Strip Resorts and regional operations, MGM Resorts said. 

The hotel and casino company included the details in a disclosure Thursday to the Securities and Exchange Commission.

MGM hotel

The Park MGM hotel and casino in Las Vegas July 28, 2023. (Bridget Bennett/Bloomberg via Getty Images / Getty Images)

It also registered a one-time expense of less than $10 million. The third-quarter charge, the company said, was for "technology consulting services, legal fees and expenses of other third party advisors." 

LAS VEGAS STRIP CLUB OFFERS FREE LAP DANCES TO CUSTOMERS AFFECTED BY MGM RESORTS CYBERATTACK

The cyberattack against MGM Resorts happened in September. Some of the company’s properties in the U.S., including those on the Las Vegas Strip, experienced disruptions after the company had to take certain systems offline as part of its response. 

Ticker Security Last Change Change %
MGM MGM RESORTS INTERNATIONAL 37.80 -0.20 -0.54%

"While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September which was 88% (compared to 93% in the prior year period)," MGM Resorts said. "The Company is further forecasting occupancy to be 93% in October (compared to 94% in the prior year period) and to fully rebound in November for the Las Vegas Strip Resorts."

MGM

Main street of Las Vegas Sept. 15, 2018. (iStock / iStock)

MGM Resorts anticipated seeing "record results" in November "primarily driven by Formula 1," something that it believes will help it have an overall "strong" final quarter of the year," according to the filing. 

The Las Vegas Grand Prix will take place Nov. 16-18 on a 3.8-mile street circuit that will go through the Strip. It will mark the second-to-last race of the season, which will end in Abu Dhabi. 

CAESARS CONFIRMS HACKER STOLE SOCIAL SECURITY NUMBERS, OTHER DATA IN CYBERATTACK

In the second quarter, MGM Resorts saw revenues totaling $3.94 billion and net income amounting to $200.78 million. The former marked a 20.7% year-over-year increase, while the latter was an 88.7% decrease.

"The company does not expect that it will have a material effect on its financial condition and results of operations for the year," MGM Resorts also said in the filing Thursday. 

MGM Resorts International

The casino and hotel company reported "normal" operations at its domestic properties with "virtually all" guest-facing systems returning to service. The rest will come back online "in the coming days," according to the filing. 

During the cyberattack, the hackers are not believed to have gained access to customer passwords, bank account numbers or payment card information, MGM Resorts said.

Person being sneaky behind computer

Fictitious HTML pages and hacker programs are shown on screens while a man has his hands on a keyboard. (Annette Riedl/picture alliance via Getty Images / Getty Images)

However, the names, contact information and other personal information of some people who made MGM Resort transactions prior to March 2019 have been compromised, according to the filing. The hackers also got the Social Security numbers and passport numbers of a "limited number" of people. 

MGM Resorts said it "has no evidence the data obtained by the criminal actors has been used for identity theft or fraud." Nonetheless, the company will provide identity protection and credit monitoring services to those affected by the breach at no charge, per the filing. 

CLOROX SAYS CYBERATTACK WILL IMPACT FIRST-QUARTER NET SALES, EARNINGS

Earlier in the week, Clorox told investors its first-quarter net sales, organic sales, gross margin, diluted net earnings per share and adjusted earnings per share would show negative impacts in its upcoming first-quarter results. It cited a cyberattack it fell victim to in August.