In a filing with the Securities and Exchange Commission, MGM Resorts reported that a recent cyberattack is expected to cost the company an estimated $100 million.

According to the SEC 8-K filing, the company estimates the negative effect from the cybersecurity incident to exceed $100 million, including $10 million in one-time consulting clean-up fees.

“We experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” MGM Resorts CEO and President Bill Hornbuckle said in an open letter published online. “We also believe that this attack is contained.”

Hornbuckle said the company believes the cyberattackers obtained certain personal information belonging to some customers who transacted with MGM Resorts prior to March 2019.

“This includes name, contact information, gender, date of birth and driver’s license number,” he said. “The types of impacted information varied by individual. We also believe a more limited number of Social Security numbers and passport numbers were obtained. We have no evidence that the criminal actors have used this data to commit identity theft or account fraud.”  

Security leaders weigh in

Anne Cutler, Cybersecurity Evangelist at Keeper Security:

While MGM may not be publicly disclosing the full extent of the impacts, the ramifications of any cyberattack of this size are inevitably far-reaching and long-lasting. No organization is too large to hack, but the ability to recover from a significant attack is certainly bolstered when the company has deep pockets. For many small to medium sized businesses, a ransomware attack can force them out of business entirely.

Although the $100 million in losses are costly on the surface, MGM's decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government and law enforcement. Paying a ransom to cybercriminals does not guarantee a full return of an organization's systems and data, and only furthers the ransomware ecosystem.

Omri Weinberg, Co-Founder and CRO at DoControl:

In cybersecurity, you have endless threats on a daily basis and basically endless points of attack.

No company will be ever be fully bulletproof, and just like the casino, you need to bet where to invest the resources and funds in your cybersecurity practice. Adversaries will always be more sophisticated with new technologies and it's a never-ending game.

Luckily there are many great cybersecurity companies out there that can give a lot of great coverage to reduce the risk and make sure you "bet" less. MGM Resorts International is obligated to give clarity about its action and the damage that was caused by this specific attack. If the SEC received a detailed brief about what happened, why, and how it can be prevented next time that's okay. If that is not the case, and they were just conceived by an announcement, that's very concerning.

Bud Broomhead, CEO at Viakoo:

Criminals often return to the scene of the crime, and want the victim to still be alive and able to be continually vulnerable to subsequent attacks.

No company is too big to hack; the key issue is a business too resilient to hack.  MGM may have invested heavily in backup and recovery, and may use this attack to learn where their weakness are so next time they will be even more resilient to attack.  

MGM deserves credit for not paying the ransom; hopefully their example will push more organizations to focus on resiliency and business continuity. It’s never a question of will you be hacked, just when you’ll be hacked and how prepared you are for it.

Andrew Barratt, Vice President at Coalfire:

It's important to look at this in the context of their income. MGM is a huge organization that is very profitable. With revenues of $14 billion, it's easy to see why they've flagged this as not being material. However, it doesn't mean they're too big to hack. Quite the opposite. It shows that larger organizations are likely a very profitable target for OCGs with cyber capability.   

Adam Marrè, CISO, Arctic Wolf:

When looking at the total cost of a breach, such as the one which impacted MGM, many factors can be taken into account. This can include a combination of revenue lost for downtime, extra hours worked for remediation, tools that may have been purchased to deal with the issue, outside incident response help, setting up and operating a hotline for affected people, fixing affected equipment, purchasing credit monitoring and sending physical letters to victims. Even hiring an outside PR firm to help with crisis messaging. When you add up everything, $100 million does not sounds like an unrealistic number for organization like MGM.

Stolen information can be used in identity theft or sold to other criminals to use it in this way. It can also be used for spear phishing or other social engineering campaigns, including SIM swapping, to assist in other attacks, and so the value of the data is high.