Cyber Defense Advisors

MGM ransomware attack costs $100 million, in busy month for breaches

The recent ransomware attack on MGM Resort International cost the hotel and casino company $100 million overall from operational disruptions, according to its latest filing with the US Securities and Exchange Commission (SEC).

MGM was attacked by ALPHR (aka BlackCat), a ransomware group widely thought to have links to the Russian government. MGM declined to pay the ransom requested by the attackers, relying on cybersecurity insurance to cover the costs of the attack’s impact, and quickly moved to shut down operational systems in the wake of the attack — a move criticized by the attackers themselves.

“The Company estimates a negative impact from the cyber security issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively,” said MGM in the SEC filing. EBITDAR is a term used denote earnings before interest, taxes and certain expenses.

Though the company reports that the attack has been contained and no further data will be lost, the impact of the incident appears to be far greater than most. “The global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years,” according to IBM’s Cost of a Data Breach Report 2023.

MGM is optimistic despite losses

MGM said in the SEC filing that despite the large loss, it believes the incident might not have any material effect on its financial condition and results of operations for the year. “While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September,” MGM said.

While MGM said it is confident that its cybersecurity insurance will be sufficient to cover the financial impact so far from the incident, the full scope of the costs and related impact of the attack remains yet to be determined.

Based on the company’s ongoing investigation, third-party activity within MGM systems has been contained but personal information of several customers (transacting with MGM prior to 2019) were obtained by the attackers. The personal information included name, contact details, gender, date of birth, and driver’s license number, MGM said.

Ransomware is top cyberattack type

Ransomware remained the top type of cyberattack in September, with at least five big-ticket attacks, according to a study by cybersecurity company Cyfirma. Other than MGM, the top victims in September included the Save the Children global nonprofit organization, Auckland University in New Zealand, the Canadian healthcare network BORN, and the Johnson Group marketing firm.

Each of the attacks resulted in the loss of several gigabytes, up to terabytes, of customer or stakeholder data, Cyfirma said. Manufacturing and real estate were the top-hit sectors for the month, and the US was the region most impacted by ransomware attacks.

The busiest ransomware groups for the month included BlackCat (ALPHV), Cuba, and Mimic (FreeWorld variant) with notable entrants including 3AM Ransomware, LostTrust, and CryptBB.

The impact of ransomware is not likely to diminish. “The ransomware economy has become incredibly lucrative as these cybercriminal groups have become highly organized and systematic,” said Cyfirma CEO Kumar Ritesh, in an email response to questions abut the MGM attack. Part of the issue is the backing of nation-state actors.

“Ransomware attacks have also been used to advance geopolitical interests and with strong backing by nation states, these attacks will certainly escalate in the near term,” Ritesh said. However, impacted companies should not pay ransomware, he warned.

 “The proliferation of attacks are driven mostly by financial gains and this means victims are actually paying the ransom. This is not something we’d recommend given that this would spur more attacks, embolden the hackers and continue to attract more people into the trade,” Ritesh said.

Ransomware