MGM Resorts was relatively quiet about the impact of the recent cyberattack. Thanks to a filing with the Security and Exchange Committee (SEC), we now have much more information on how the company and its customers have been and will be affected.
This week, MGM Resorts filed an 8-K with the SEC. This is similar to how we learned about the Caesars cyberattack earlier this year.
In brief, the company will lose money and the hackers obtained customer data.
MGM Resorts suffers $100 million loss
During the cybersecurity issue, MGM Resorts refused to pay a ransom to the hackers. However, it disclosed that it will lose at least $100 million during the third quarter. The vast majority of the losses were during Q3.
In the filing, the company says September occupancy was 88% compared to 93% last year. While this is a bookkeeping loss, the company says “its cybersecurity insurance will be sufficient to cover the financial impact to its business.”
MGM Resorts is estimating it should be mostly back to normal in October. The company projects its Las Vegas casinos will see an occupancy rate of 93% for the month. This is just off slightly from 94% in October last year.
Additionally, in the filing, the company says it should see record fourth-quarter revenue thanks, in part, to the Las Vegas Grand Prix in November.
In the 8-K SEC filing, MGM Resorts said:
“The company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third-quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter.
The company does not expect that it will have a material effect on its financial condition and results of operations for the year. Specifically, the company estimates a negative impact from the cyber security issue in September of approximately $100 million to adjusted property EBITDAR for the Las Vegas Strip resorts and regional operations, collectively.”
MGM Resorts CEO Bill Hornbuckle addresses the impact on customers
Not only did the company file a detailed report to the SEC, but MGM Resorts CEO Bill Hornbuckle sent a letter to its customers with more information:
“We responded swiftly, shut down our systems to mitigate risk to customer information, and began a thorough investigation of the attack, including coordinating with federal law enforcement agencies and working with external cybersecurity experts.
While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored. We also believe that this attack is contained.”
MGM Resorts says the attack didn’t “compromise of any customer bank account numbers or payment card information.” However, the hackers did access some customer information.
Customers who visited MGM Resorts properties before March 2019 may have their names, contact information, gender, date of birth, and driver’s license numbers exposed to the hackers.
MGM Resorts is emailing certain customers and offering free identity protection and credit monitoring services. Anyone with questions can visit MGM’s website or call 800-621-9437 (reference engagement number B105892).
The letter from Hornbuckle closes with a thanks and apology: “I’m grateful to our employees for their resilience and dedication during this time.
On behalf of everyone at MGM Resorts, I wish to also thank our customers for their loyalty and patience as we worked through this complex matter. We regret this outcome and sincerely apologize to those impacted. Your trust is paramount to us.”