MGM Resorts cybersecurity incident forces system outage

Casino and lodging operator MGM Resorts shut down a number of its computer systems including its website in response to a “cybersecurity issue,” the company said in a social media post Monday.

The initial shutdown impacted nearly every aspect of the casino operator’s business. Reservation systems, booking systems, hotel electronic key card systems, and the casino floors were all apparently impacted by the outage.

The company’s email systems were also apparently taken down in response to the cybersecurity issue, and have not yet come back online.

The company said that as of Monday evening, their casino floors were back online. But the reservation systems that power their thousands of hotel rooms and the booking system that controls reservations for their restaurants are apparently still down, more than a day after the first reports of the incident began to circulate.

MGM operates thousands of hotel rooms across Las Vegas and the United States. Revenue from their hotel rooms in Las Vegas outstrips the revenue directly attributed to their casino operations, according to SEC filings. The company reported Las Vegas rooms revenue of $706.7 million for the quarter ended June 30, compared to casino revenue of $492.2 million for the same period.

“We quickly began an investigation with assistance from leading external cybersecurity experts,” MGM said in a post on X, formerly known as Twitter. “We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”

The FBI confirmed that it was aware of the “ongoing” incident but did not provide further information.

MGM shares closed down nearly 2.4% on Monday.

MGM’s website has been replaced by a landing page advising that patrons contact their hotels or casinos directly via phone. It wasn’t immediately clear when the outage started, although some users on social media reported that MGM’s systems were down as early as Sunday night.

The company has had cybersecurity incidents in the past. In 2020, the personal details of more than 10 million MGM visitors were published on a hacking forum. The information was exfiltrated in the summer of 2019, the company said at the time.

The scope of the government response, beyond the FBI involvement, was not immediately clear. The government identified the “commercial facilities sector,” which includes gaming and lodging, as critical infrastructure in 2003.

“A large communications failure or intentional cyberattack could substantially disrupt payments and basic operations, compromise customer and company data privacy, threaten company integrity and reputation, and create large legal and economic burdens,” the Department of Homeland Security warned in a 2015 sector-specific plan.