MGM Resorts Fights FTC Over Cyberattack Investigation

Erik Gibbs

A hacker typing on a keyboard behind a screen of computer code

MGM Resorts International is taking on the Federal Trade Commission (FTC). Reuters reports that MGM hopes to halt an investigation into the casino operator’s handling of a cyberattack that targeted its operations last year.

The lawsuit, filed in federal court, asserts that the FTC’s inquiry oversteps its authority and violates MGM’s Fifth Amendment rights. The casino operator contends that the FTC, led by Chairwoman Lina M. Khan, who personally experienced the cyberattack’s effects, is unfairly targeting the company based on regulations that do not apply to its operations.

MGM’s lawsuit highlights a conflict of interest, according to the company, alleging that Chairwoman Khan’s direct involvement in the cyberattack — having been a guest at an MGM property during the incident — compromises the FTC’s objectivity. The company further claims that the FTC’s actions deprived it of its right to a fair hearing and equal treatment under the law, as guaranteed by the Due Process Clause of the Fifth Amendment.

The FTC’s investigation aims to scrutinize MGM’s response to the hack, which disrupted the company’s IT systems and affected thousands of guests and customers. It led to a 10-day shutdown of computer systems that disrupted hotel reservations and credit card processing.

The regulatory body issued a Civil Investigative Demand (CID) last week, which compels MGM to provide extensive information spanning several years. MGM argues that this demand is excessive and irrelevant and that the rules the FTC cited in its complaint — the “Safeguards Rule” and the “Red Flags Rule” — are designed for financial institutions, which MGM does not classify as.

A massive cyber headache

The cyberattack occurred last September and was widely publicized. An unauthorized third party accessed the personal information of MGM customers, including names, contact details, and, in some cases, Social Security and passport numbers. However, MGM maintains that no financial data was compromised. In response to the breach, MGM took immediate steps to secure its systems and launched an investigation with cybersecurity experts, while also coordinating with law enforcement.

The repercussions of the cyberattack were significant for MGM, causing operational disruptions across multiple properties. MGM estimates that the incident impacted its adjusted property EBITDAR (earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs) for the quarter by approximately $100 million, despite reporting record revenue.

MGM wasn’t the only target of hackers last year. Caesars Entertainment also experienced a significant attack targeting its loyalty program database, compromising personal information such as Social Security numbers and driver’s license numbers. Caesars eventually acknowledged that it paid a $15 million ransom after initially denying making any deals.

Cyberattacks on the rise

The casino industry has faced a significant challenge with a rise in cyberattacks over the past few years. Experts have warned that such attacks are likely to continue, urging businesses to enhance their security protocols and prepare for potential threats.

Attacks in the US by the 10 most active ransomware groups July 2022 - June 2023
Source: Malwarebytes 2023 State of Ransomware

The hacks MGM and Caesars, as well as numerous other casinos, dealt with were reportedly the work of Scattered Spider, a global hacking group also identified as UNC3944, among other aliases. It emerged around May 2022, and since its introduction, it has launched sophisticated cyberattacks on major corporations, particularly in the casino and gambling sectors.

Scattered Spider’s methods are diverse, ranging from social engineering to exploiting security vulnerabilities. While the exact membership of the group remains elusive, it is believed to include operatives based in the U.S. and the U.K., with affiliations to other cybercriminal entities such as Russia-based ALPHV.

ALPHV, also known as BlackCat, was behind the Colonial Pipeline hack in 2021 and others. Scattered Spider, according to the FBI, reached out to the group in an effort to grow its capabilities, leading to the recent string of attacks.

The financial impact of these attacks is substantial. IBM stated that the average attack in 2023 cost companies $4.45 million. That was a 15% increase from 2020.