MGM Resorts cyberattack sparked customer data breach, cost the company $100 million

Regulatory filings and a letter from MGM Resorts CEO William Hornbuckle Wednesday claim a recent cyberattack entailed both a leak of customer data as well as a hefty financial hit to the company.

Hornbuckle attempted to downplay just how severe the data break was, however.

“We have determined that because of our fast, early response, the incident did not result in a compromise of any customer bank account numbers or payment card information,” Hornbuckle said in a public letter. “We do understand that the criminal actors obtained certain personal information belonging to some customers who transacted with us prior to March 2019.”

Hackers obtained data like customer names, contact information, date of birth, gender and driver’s license numbers. A “more limited number” of Social Security numbers and passport numbers were also hacked during the attack, Hornbuckle wrote.

“We have no evidence that the criminal actors have used this data to commit identity theft or account fraud,” he added.

Hornbuckle noted the company shut down IT systems to mitigate the risk of any widespread data leak and worked with federal law enforcement and external cybersecurity experts on investigating the attack.

The company did not pay off hackers demanding a ransom like Caesars Entertainment did weeks prior to the MGM cybersecurity issue, the Wall Street Journal reported this week.

While the Federal Bureau of Investigation discourages companies from paying cyber hackers a ransom, Caesars is believed to have paid roughly $15 million in ransom. The company claims its operations weren’t impacted, per earlier WSJ reporting.

But Caesars did note in a September regulatory filing that hackers “acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.”

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

Email address

Sign up

By signing up, you will receive newsletters and promotional content and agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.

The Caesars filing last month emphasized there was “no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.”

MGM’s fallout

Social media reports in recent weeks depicted a state of bedlam at MGM Resorts, ranging from shutdown slot machines to manual credit card processing, following the cyberattack.

The CEO’s letter Wednesday claims “the vast majority of our systems have been restored.”

But a filing with the U.S. Securities and Exchange Commission indicates the attack likely caused the company to take a $100 million hit. The MGM Resorts filing attributes much of this to guests changing or canceling reservations during the month of September, which had an 88% occupancy rate across the company this year compared to 93% in 2022.

The company expects occupancy rates across its resorts to be 93% in October, slightly down from the 94% seen the same month last year, but then fully recover in November.

The SEC filing reiterated the company believed the “unauthorized third-party activity” is now contained.

What to do if your personal information was stolen at MGM or Caesars

Hornbuckle indicated customers whose data was comprised in the cyberattack will have been notified via email. MGM Resorts is offering free credit monitoring and free identity protection services to those impacted.

The company also established a dedicated call center at 1-800-621-9437 that can be reached Monday through Friday from 9 a.m. until 11 p.m. EST and from 11 a.m. until 8 p.m. on Saturdays and Sundays. Those who dial in should reference number B105892 when calling.

There is also a dedicated website outlining additional information of the cyberattack and steps to take to protect personal information, including remaining alert for unsolicited communications involving personal information and monitoring credit reports for potential fraud.

While Caesars claims its operations were back to normal, the company still indicated it would notify customers “in the coming weeks” impacted by its own data breach.

If you aren’t sure if you were impacted, you can reach out to a dedicated response line for Caesars at 1-888-652-1580 from 9:00 a.m. to 9:00 p.m. EST, Monday through Friday other than on holidays.

What about Marriott?

The timing of the MGM Resorts cyberattack arrived weeks ahead of the planned launch month of a new partnership between the casino conglomerate and Marriott International.

The new deal, replacing a prior partnership between MGM and Hyatt, was expected to be a deeper relationship involving a new collection brand as well as tie-ins to the BetMGM online betting and gaming platform.

It is unclear if the cyberattack pushed back the planned October launch of the MGM Collection with Marriott Bonvoy. Representatives with Marriott did not respond to TPG's request for comment in time for publication.

But it certainly appears MGM is ready to at least be back to normal in November in time for the Formula 1 Las Vegas Grand Prix.

“The Company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1,” reads the MGM Resorts SEC filing from Wednesday.

Related reading:

• Best hotel credit cards
• When is the best time to book a hotel? Experts weigh in — and debunk a few myths
• The best credit cards to reach elite status
• A comparison of luxury hotel programs from credit card issuers
• Which credit cards offer the most lucrative rewards for hotel stays?
• The best hotel rewards programs in the world