MGM resorts says 'cybersecurity issue' may have widespread impact

The company said the issue might have affected its properties in Las Vegas, Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio.


MGM Resorts International reported a "cybersecurity issue" Monday that may have affected its hospitality, gaming and entertainment properties across the U.S.

The issue may still be affecting the publicly traded company: Some of its websites were down late Monday, and it urged customers to book rooms and request reservations by phone.

Its full impact on reservation systems and casino floors in Las Vegas, the company's base, as well as at properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio, was unknown, spokesperson Brian Ahern said.

In a statement Monday evening, the company said that the issue was ongoing but that its casino gaming floors were operational. "We continue to work diligently to resolve this issue," it said.

Earlier in the day, MGM resorts said that the matter affected "some of the company's systems" and that law enforcement had been notified.

Some MGM systems were shut down to protect data, and the company launched an internal investigation with the help of "leading external cybersecurity experts," it said.

The FBI in Las Vegas and the Nevada Gaming Control Board did not respond to requests for comment.

MGM lists 19 properties in the U.S. They include some of the most popular resorts in Las Vegas, including the Bellagio, Mandalay Bay and the Cosmopolitan. It also has properties in China.

Late last year Nevada's gaming board approved stricter cybersecurity measures, including a three-day window to report any online system breaches.

In July, the Securities and Exchange Commission adopted a similar rule for large, publicly traded companies. It requires a significant breach to be reported within four business days, but the requirement won't be in effect until December.

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement in July.

South Point Hotel and Casino attorney Barry Lieberman said in a letter to the Nevada board that some of its measures, yet to be enacted at the time, were not needed.

"Almost all licensees have cybersecurity insurance," he said in a letter to the executive secretary of the board. "Those insurance companies require the licensees to take steps necessary to prevent cyber attacks."

Josh Heller, the manager of information security engineering at the wireless technology company Digi International, said contemporary cyberattacks can rapidly spread throughout companies through single, official-looking emails that prompt employees to enter their passwords.

"A simple [phishing] email opened on the corporate network could spread like wildfire," he said.

Heller suggested artificial intelligence could give companies a fast, relatively inexpensive way to alert managers of breaches and "isolate the impact."

Follow-up questions for an MGM Resorts spokesperson went unanswered Monday.