MGM Resorts International and rival Caesars Entertainment Inc. offered updates Thursday on recent cyberattacks, but the two hotel and casino operators left some stakeholders clamoring for more information.
MGM
MGM,
said it’s still working to resolve the “cybersecurity issue” that was first reported Sunday and that has caused its systems to be shut down.
“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” the company said in a post on X.
MGM Resorts filed an 8-K form with the Securities and Exchange Commission on Tuesday, indicating that the cyberattack — which has shut down its website and affected credit-card transactions, digital hotel-room keys, slot machines and sports-betting kiosks — poses a material risk to the company.
“Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems,” the company said in the filing.
MGM did not respond to a request from MarketWatch Thursday for an update on how its systems are being affected, but its main website remained down.
“For hotel reservations arriving September 13-17, 2023, we understand your travel plans may have changed, so we are waiving change and cancellations fees,” said a message on the site.
The company operated this week using backup protocols, including checking in guests with pen and paper and paying slot-machine wins manually, according to the Wall Street Journal.
Moody’s Investors Service warned that the attack could hurt the company’s credit.
The incident “highlights key risks related to [MGM’s] business operations’ heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable,” the rating agency said in a statement on Wednesday.
On social media, users expressed their frustration at the lack of information in MGM’s Thursday post.
Caesars
CZR,
meanwhile, disclosed Thursday that it had recently identified “suspicious activity” in its information-technology network resulting from a “social engineering attack” on an outsourced IT support vendor.
The company said it determined that the cyberattacker acquired a copy of its loyalty-program database, which includes driver’s license numbers or Social Security numbers for “a significant number” of members.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said.
The company said it has incurred, and may continue to incur, certain expenses related to the attack, including expenses to respond to, remediate and investigate the matter.
The disclosure comes after the Wall Street Journal reported that Caesars paid roughly half of the $30 million the attackers demanded from the attack.
Caesars did not immediately respond to a request for more information on the attack and the safety of its systems.
The news comes as the SEC is gearing up for a new rule that goes into effect in December and will mandate that companies disclose hacks within four days of being deemed material to their business.
The Nevada Gaming Commission already requires casinos to disclose cyberattacks within 72 hours and to take measures to protect their systems, including annual reviews of their overall cybersecurity.
MGM and Caesars operate roughly 60,000 hotel rooms in Las Vegas, as well as many more at locations across the U.S.
MGM’s stock was flat Thursday and is down 5% on the week. Caesars was up 0.2% but is down 4.5% on the week.
The S&P 500
SPX
has gained 0.6% on the week.
Read the full article here