‘Cybersecurity Issue’ Forces Systems Shutdown at MGM Hotels and Casinos
The casino and hotel chain MGM Resorts International said on Monday that a “cybersecurity issue” was affecting some of its online systems, causing disruptions for customers, particularly in Las Vegas, where cybersecurity experts said the company was likely the victim of a pervasive cyberattack.
MGM Resorts did not share specifics on the disruptions or disclose when the issue began or when it was detected, but said that law enforcement had been notified. In a statement, the company said that it had taken “prompt action to protect our systems and data, including shutting down certain systems.”
“Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter,” MGM Resorts posted on social media.
There were some signs of disruptions for the company, which did not respond to emails seeking comment. Its website was down Monday evening, and comments posted by Facebook group users stated that slot machines were not working and that there were problems accessing hotel rooms at the company’s resorts.
KTNV 13, a TV station in Las Vegas, reported that multiple gambling machines at hotels had gone offline and that several guests were unable to charge anything to their rooms, make reservations or use their digital room keys.
It was not clear how many people had been affected by the cybersecurity disruptions. MGM is a prominent casino and hotel company that has thousands of hotel rooms in Las Vegas, with properties that include Mandalay Bay, Aria, the Bellagio and MGM Grand Las Vegas.
Greg Moody, an associate professor of information systems and cybersecurity at the University of Nevada, Las Vegas, said on Monday that a “cybersecurity issue” typically means that an individual or a group has attacked the company’s network.
In MGM’s case, the attacker or attackers might have “found some gap in their armor” and used it to take down the company’s systems, said Dr. Moody, who has worked with the company and members of its tech team on several projects.
Such attacks are typically launched by hackers seeking a profit, he said. Attackers will usually steal a company’s data and hold it hostage until the company pays a price for its return. Attackers will also sell the stolen data in an underground online marketplace, where buyers seek data containing information that will enable identity theft, like names, numbers or addresses.
MGM is a large company with a vast data set and is therefore a target, Dr. Moody said.
Arthur Salmon, a professor of computing and information technology at the College of Southern Nevada, where he is also the director of its cybersecurity program, said on Monday that large businesses are common victims of cyberattacks.
Three industries, however, are frequent targets of such attacks because of the extra pressure in getting systems back to normal, Dr. Salmon said. They are: utility companies, because complaints from customers often make news; hospitals, because of the risk the disruption presents to patients; and casinos, because of the reputational hit that could come from data breaches of customers’ private information.
“Their security team has to be right 100 percent of the time,” Dr. Salmon said. “And the threats are always growing, always adapting, always getting more complicated. The attacker just has to be right once.”
Yoohwan Kim, a professor of network security at the University of Nevada, Las Vegas, said that attackers will sometimes steal data from a big and financially secure company, demand a ransom for a key to decrypt their systems, and then wait for the company to pay.
Dr. Salmon said the ransom amounts can vary but are usually in the hundreds of thousands or low millions for larger companies.
Recuperating from a widespread cybersecurity attack can take months or years, experts said.
Recent cyberattacks around the world have taken down operations at a gasoline pipeline, hospitals and grocery chains and have potentially compromised some intelligence agencies. In 2019, MGM was the victim of a data breach that was said to affect about 10.6 million people.
Rebecca Carballo contributed reporting.