IE 11 is not supported. For an optimal experience visit our site on another browser.

MGM Resorts says cyberattack could have material effect on company

The company’s corporate email, restaurant reservation and hotel booking systems remain offline as a result of the attack, as do digital room keys.
The MGM Grand hotel and casino in Las Vegas
The MGM Grand hotel and casino in Las Vegas in July. Bridget Bennett / Bloomberg via Getty Images file
/ Source: CNBC.com
By Rohan Goswami, CNBC

MGM Resorts on Wednesday said that a cyber incident that has significantly disrupted properties across the United States for the past three days represents a material risk to the company.

At the same time, the major credit rating agency Moody’s warned that the cyberattack could negatively affect MGM’s credit rating, saying the attack highlighted “key risks” within the company.

The company’s corporate email, restaurant reservation and hotel booking systems remain offline as a result of the attack, as do digital room keys. MGM on Wednesday filed a 8-K report with the Securities and Exchange Commission noting that on Tuesday the company issued a press release “regarding a cybersecurity issue involving the Company.”

8-Ks as a rule are filed when publicly traded companies want to notify the SEC of an event that can have a material effect on the firm. An MGM spokesperson confirmed the company views the incident as material. The spokesperson declined to comment on the Moody’s warning.

MGM’s share price has declined more than 6% since Monday, the day it first acknowledged the outages, compared to a modest gain in the S&P 500 during the same period.

The FBI told CNBC on Monday it is monitoring the “ongoing” situation. The SEC’s new cyber disclosure rules will not go into effect until the end of the year, so MGM is not yet obligated to provide more information to the SEC than they already have.

On social media, patrons have expressed frustration with the scope and duration of the outage, with some describing how hotel key cards aren’t working. Others expressed concerns about the security of their personal data. In 2020, MGM acknowledged that it had lost the personal information of more than 10 million customers in a hack. The data resurfaced on a hacking forum that same year.


MGM is communicating with the press through noncorporate, commercially available email addresses. Other than a brief update Tuesday confirming that the company had brought its gaming floors back online, MGM has provided little further information.

The SEC did not immediately respond to CNBC’s request for comment.

Rohan Goswami, CNBC

Rohan Goswami is an associate reporter on CNBC’s technology team.

Dan Mangan, CNBC contributed.