A cyberattack has breached the computer system at MGM Resorts, forcing the company to shut down operations at a dozen of the most iconic casino hotels in Las Vegas—including the Bellagio, Mandalay Bay and the Cosmopolitan—as well as another half-dozen MGM properties around the United States.
The attack left hotel guests locked out of their rooms for hours and unable to use their digital key cards to charge goods and services. Eventually, the hotels resorted to manual processes and transactions.
Since Monday evening, the MGM website has been replaced by a splash page advising guests to contact the company directly via phone.
The company first detected the issue on Sunday evening. “We quickly began an investigation with assistance from leading external cybersecurity experts,” MGM reported Monday on X, the platform formerly known as Twitter. “We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”
“The FBI is aware of the incident, as this is still ongoing, we do not have any additional information to provide at this time,” Mark Neria, an FBI special agent in Las Vegas, told
Forbes via email. One of the
world’s largest casino-hotel companies, MGM Resorts hauled in $14.1 billion in revenue last year. In Las Vegas alone, “MGM Resorts fills roughly 12 million room nights a year,” Jonathan Halkyard, the company’s CFO and treasurer said on a quarterly earnings call last month. By late Monday evening, MGM’s casino floors were operational but the crucial reservation systems for hotel rooms and restaurant reservations remained down, clocking in more than 24 hours offline. MGM Resorts has not immediately responded to Forbes’ request for comment.
In its earning release for the quarter that ended on June 30, MGM reported a 96% occupancy rate for its Las Vegas Strip hotels. Those hotel rooms generated revenue of $707 million compared to casino revenue of $492 million over the same three-month period. Based on those figures, MGM’s Vegas Strip properties bring in roughly $8 million per day in hotel room revenue.
“Hospitality has always been a prime target for cybercriminals,” says Martin Zugec, technical solutions director at Bitdefender, a multinational cybersecurity firm. “This sector holds a treasure trove of personal data including names, passports, addresses and credit card numbers that are sold for profit.”
In 2018, Marriott revealed a massive breach that stole the data of a half billion customers. The past decade has seen high-volume data breaches at a slew of other major hotel brands, including Hyatt, Hilton, InterContinental, Sheraton, Westin, Starwood, Wyndham, Omni Hotels and Mandarin Oriental.
Recently, Zugec says, Bitdefender has seen “a marked increase in supply-chain attacks targeting hotels that use vulnerabilities in popular platforms to gain initial access. Just last week, we discovered an instance of cybercriminals using zero-day vulnerabilities in a hotel booking engine to steal financial information. Several organizations have been compromised and the attack remains active.”
But the attack on MGM is atypical to most attacks, which tend to target personal data and are often discovered after the fact. Rarely is a breach so disruptive to hotels’ daily business for a prolonged period.
www.forbes.com
...
