MGM Resorts International said it expects to take a $100 million hit as part of the fallout of a cyberattack that has most significantly impacted its Las Vegas operations.
MGM first acknowledged detection of the issue in a press release last month. On Thursday, the company disclosed in a regulatory filing it “shut down its systems to mitigate risk to customer information, which resulted in disruptions at some of the company’s properties but allowed the company to prevent the criminal actors from accessing any customer bank account numbers or payment card information.”
MGM said some personal information was breached for business conducted prior to March 2019, including names, phone numbers, email and postal addresses, genders, dates of birth, and driver’s license numbers. For a limited number of customers, Social Security numbers and passport numbers were also obtained.
MGM acknowledged the attack will have a negative impact on its third-quarter results and minimal impact during the fourth quarter. It said it does not expect the issue to have a material effect on its financial condition and results of operations for the year.
The company also disclosed it incurred less than $10 million in one-time expenses related to the issue, which consisted of technology consulting services, legal fees, and expenses of other third-party advisers. MGM said it believes its cybersecurity insurance will cover losses incurred because of operational disruptions but acknowledged the full scope of impact has yet to be determined.
The company believes the breach is contained but is still engaging third-party experts to further enhance its cyber defenses.
MGM is not the only gaming company to be dealing with the effects of a breach. Caesars Entertainment disclosed last month an unauthorized actor accessed its loyalty program database, which included driver’s license numbers and/or Social Security numbers.
Additional attention is being paid to company breach disclosures in advance of the compliance date of the Securities and Exchange Commission’s rule requiring material cybersecurity incidents to be disclosed within four business days.