MGM Resorts International revealed that the recent ransomware attack it experienced in September is estimated to cost the company approximately $100 million. However, MGM believes that the financial impact of the attack will likely be covered by its cyber insurance policy.
The cyber attack came to light after guests reported encountering issues with room access, amenities, and casino games that persisted for several days. Okta, an identity and access management vendor, later confirmed that MGM was one of the many victims of a social engineering campaign where attackers gained privileged access to targeted organizations.
In an 8-K filing and update from MGM CEO William Hornbuckle, more details about the attack and the company’s response were disclosed. MGM quickly took its systems offline upon detecting the attack in order to contain the threat. As a result of this swift action, the threat actors were unable to access any customer bank account numbers or payment card information.
Though many of MGM’s affected operations have returned to normal, the process of remediation has incurred significant costs. The company stated in its 8-K filing that it estimates a negative impact of around $100 million to Adjusted Property EBITDAR (earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs) for both the Las Vegas Strip Resorts and Regional Operations.
In addition to the $100 million loss from business disruptions, MGM also incurred less than $10 million in one-time expenses. These expenses included technology consulting services, legal fees, and expenses related to third-party advisors. However, MGM expects that these costs may be covered by its cyber insurance policy.
While cyber insurance can provide financial protection against cyber attacks, there has been a complicated relationship between ransomware and insurance carriers. Ransomware attacks have been blamed for a surge in insurance premiums, as the threat influences an enterprise’s ability to obtain policies. Some insurers even require customers to have effective backups in place as part of their ransomware response strategy before issuing a policy.
There has also been ongoing debate regarding the role of insurance carriers in ransomware incident response, particularly concerning ransom payments. Cybercriminal groups are aware that certain insurance policies cover ransom payments, leading to an increase in attacks and higher demands. A recent report by insurer Coalition showed a surge in ransomware claims in the first quarter of 2023, with higher ransom demands and increased business disruption.
Furthermore, a report earlier this year from Delinea revealed that 70% of respondents stated that their insurance policies did not cover ransomware payments. This indicates that not all policies provide coverage for such incidents.
The ransomware gang known as Alphv/BlackCat has claimed responsibility for the attack on MGM. However, it remains unclear whether MGM received a ransom demand or made any payment to the threat actors. The company has not provided additional comments regarding this matter.
MGM CEO William Hornbuckle acknowledged in his statement that while most of the company’s systems have been restored, the attackers did manage to steal personal information of customers who had transacted with MGM prior to March 2019. The stolen data includes names, genders, dates of birth, driver’s license numbers, and in some cases, Social Security numbers and passport numbers. As part of the remediation efforts, MGM has rebuilt, restored, and strengthened its IT environment.
Guest-facing systems are expected to be fully restored in the coming days, according to the 8-K filing. Caesars Entertainment, another Okta customer affected by the social engineering campaign, experienced a similar attack last month. Caesars confirmed that it took measures to ensure the deletion of stolen data by the unauthorized actors. However, The Wall Street Journal reported that Caesars paid approximately half of a $30 million ransom demand from the threat actors.
The financial impact and overall costs of the cyber attack on MGM Resorts International are still being assessed. MGM is hopeful that its cyber insurance policy will provide sufficient coverage for the operational disruptions, one-time expenses, and future expenses resulting from the attack. However, the full scope of the costs and impacts of the incident has not yet been determined.