$13 billion MGM Resorts in severe cybersecurity incident

"We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems."

$13 billion MGM Resorts in severe cybersecurity incident

Our report has been extensively updated on September 13 here, including with the claims that the incident started with a social engineering call.

MGM Resorts has confirmed it is suffering a “cybersecurity issue” that shut down systems at Las Vegas venues including the MGM Grand.

The incident has pushed websites for its resorts including the Aria, the Bellagio, Luxor, MGM Grand and Mandalay Bay offline this week.

Even slot machines that look operational (many are visibly offline) are reportedly unplayable, according to local reports. (MGM Resorts makes ~$15 million daily across its venues from casino revenues alone.)

One guest said: “It's pretty widespread. We can't check in, pay with card, use comps, receive our gifts, get tickets out of machines…”

The company has since stressed by email to press that its casino gaming floors are “operational” and guests are being checked in “manually” as it no doubt falls back on contingency plans for such an incident.

Local reports show slot machines failing, booking systems and websites down and some guests reportedly unable to use their room keys.

Machines down at the Aria. 

The $13 billion annual revenue company (2022) did not specify details of incident, which bears some hallmarks of a ransomware attack.

“MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems,” the company said on X, formerly Twitter.

“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.

“Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter” it said on Monday.

Ryan McConechy, CTO of Barrier Networks said: "In response to this incident, it looks like MGM decided to take all their systems offline, which is a routine move when organisations run such large and complex networks. Until MGM provides more information on the breach, it’s not clear the exact reason why they decided to take this action, but it is a very costly move.

"For every minute the gaming floor was down, MGM was losing money. Likewise, with reservations and their websites still being down, the company continues to suffer massive financial losses. Understandably, this may be to prevent active attackers pivoting or malware spreading, but when organisations segment their networks effectively, this scale of downtime can usually be avoided."

A massive MGM data breach occurred in 2019 when a hacker gained access to a cloud server and stole information on guests.

In an unrelated incident that did previously cast light on some vulnerabilities on the floor of major Las Vegas casinos, two young security researchers on a “Shodan safari” in 2019 discovered that third-party “rewards” kiosks in many Las Vegas casinos were calling home to their back-end server in plain text, with all data clearly visible.

There was no SSL protection and an associated API was also “wide open and vulnerable to abuse” they said at the time. It was possible to “identify kiosks by their MAC address and use the unsecured API to change details, track users and even add credit to user accounts. Investigating further, they also found casino WiFi network passwords stored in plaintext, user personal data stored in plaintext, and third party contractors posting the vendor’s source code publicly on Github.

The vendor in question threatened legal action.

MGM’s security team by contrast at the time responded swiftly and courteously to disclosure of the potential risk from the machines.