The cyber crew that infiltrated MGM in a cyberattack in September came away with personally identifiable information (PII) from customers in an operation the resort giant said will cost it some $100 million.
MGM said in an 8K Securities and Exchange Commission (SEC) filing that the “full scope of costs” has yet to be determined. The company said it expects its cyber insurance policy will be “sufficient” to cover the financial impact to its business.
Stolen information included name and contact information, such as phone number, email address and postal address), gender, date of birth and driver’s license numbers. For a “limited number” of customers, Social Security numbers and passport numbers were also obtained by the criminal actors.
The types of impacted information varied by individual, MGM said in the filing. It does not believe that customer passwords, bank account numbers or payment card information were lifted by the cyber gang. So far the company has not seen any evidence of identity theft or account fraud connected to the pilfered PII.
“While no company can ever eliminate the risk of a cyberattack, the company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards. These efforts are ongoing,” MGM said in the filing.
MGM has declined to comment on whether it was asked for or paid any ransom.
However, according to The Wall Street Journal, MGM has refused to meet the hackers’ ransom demand. Caesars Entertainment, which was also hit by a recent ransomware attack, is believed to have paid about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data.
Six Class Action Lawsuits Filed
In the cyber hijacking's wake, six class action lawsuits filed in Nevada District Court claim that MGM Resorts and Caesars Entertainment failed to protect the personal identifiable information (PII) of their loyalty program customers, the Las Vegas Review-Journal reported.
The lawsuits allege that MGM’s and Caesars’ negligence caused sensitive data to be hijacked by ransomware extortionists that attacked the resorts three weeks ago. In an SEC filing, Caesars acknowledged that a hacker had gained access to the PII of the company’s loyalty customers, including driver’s licenses and social security numbers.
Eastern European hackers ALPHV and Scattered Spider have claimed responsibility for the attacks.