‘Losing money every minute’: MGM, FBI look into possibility of cyberattack
Updated September 12, 2023 - 9:43 pm
Tuesday marked another frustrating day for guests at MGM Resorts International properties, after a cybersecurity issue that began Sunday continued to wreak havoc, forcing customers to wait hours to check in, sidelining slot machines, and shutting down paid parking systems, ATMs, the company website and its mobile app.
MGM has not commented on what systems were affected or how the incident happened, but has contacted law enforcement, and the FBI confirmed on Tuesday that it is investigating the matter.
An expert in cybersecurity says it’s too early to speculate whether MGM Resorts was the victim of hackers in a ransomware attack, although numerous clues point that direction.
“I’m sure they’re losing money every minute, every hour, every day,” Alex Hamerstone said Tuesday.
Hamerstone, an advisory solutions director at TrustedSec, an Ohio-based information security consulting organization dedicated to helping companies assess and decrease risk in their information systems, said not only did MGM lose money from failed hotel and restaurant reservation bookings and inaccessible slot machines and sports bets, but the company took a reputational hit as well.
“If there’s a breach in a retail organization, and the place has low prices and good products, shoppers are back the next day,” he said. “But I think that people are much less forgiving when you ruin their vacation or ruin their holiday. Some people save up all year to go to Vegas.”
Guests seeking to access their rooms and services on Tuesday faced long lines and long waits at some MGM properties. MGM’s websites and mobile app remained down.
Some point-of-sale locations couldn’t process credit card transactions at MGM retail outlets, requiring guests to write down their credit card numbers on slips of paper so transactions could be manually processed. Those hoping to withdraw cash from the hotel ATMs found they were out of luck on that front too as those machines also were down.
Some guests complained that they couldn’t get into their hotel rooms because the MGM app was off. The company has since remedied that problem by issuing key cards. MGM’s websites and mobile app remained down on Tuesday.
‘It kept going’
Guests arriving to check in at the Luxor around 6 p.m. Tuesday found the end of the line snaking hundreds of yards out of the lobby and down first floor hallways.
Tables filled with small water bottles sat along the line, and employees served drinks.
Tammy Henderson, who arrived from Arkansas on Tuesday, trekked all the way to the back of the line. She and her husband had to call ahead of time to check on their reservations because the hotel’s website hadn’t been working for a couple of days. They were not told to expect such a long line but were informed that they would be checking in “the old-fashion way,” Henderson said.
“Oh my God, I was devastated,” she said of seeing the line. “I didn’t know it kept going. I thought it was the end down there and we just kept going.”
Eric, who asked that his last name not be included, was farther up the line but after an hour of waiting still had a ways to go. He traveled to Las Vegas from Colorado and called the experience a “pain in the ass.”
The line at MGM Grand’s check-in desk was significantly shorter but still 30 to 40 people deep Tuesday evening. Several gaming machines in the casino were not working.
At Mandalay Bay, the line steadily grew around 6:20 p.m. Hotel employees began offering trays of water bottles to folks bunching up in the lobby.
Ralph Antinori was in town from New Jersey for a work trip. He heard about the system outages Tuesday morning and didn’t bother even trying the hotel’s website.
“It is what it is,” Antinori said of the Mandalay Bay line. “What are we going to do?”
Effects could linger
The effects of the crippling cybersecurity issue could last several days and, depending on the extent of the incident, months or years.
MGM has not elaborated on the matter and hasn’t referred to it as a cyberattack.
The FBI’s involvement, though, appears to indicate that MGM may have been under attack.
“MGM has requested assistance, and we are providing it,” Special Agent Mark Neria, of the bureau’s Las Vegas field office, said Tuesday.
He declined to comment further on the issue, citing an ongoing investigation.
The U.S. Department of Homeland Security referred a reporter to MGM when asked if that agency was involved in the investigation.
An MGM spokesperson confirmed that the company had notified authorities and took “prompt action to protect” its systems and data, while working to determine the cause.
“Our resorts, including dining, entertainment and gaming are currently operational, and continue to deliver the experiences for which MGM is known,” part of a statement released late Monday read. “Our guests remain able to access their hotel rooms and our Front Desk staff is ready to assist our guests as needed. We appreciate your patience.”
Websites, paid parking down
Computer problems apparently shut off the paid parking system for MGM properties. The gates for entering lots at Bellagio and Mandalay Bay were open without payment Monday and Tuesday.
At the MGM Grand Tuesday morning, about 60 percent of the slot machines and other computer-based games on the floor appeared to be out of service. All ATMs, rewards and sports betting machines also appeared not to be operational.
Over at New York-New York, more slot machines appeared to be working Tuesday morning, with roughly 20 percent inoperative. Most computer blackjack and craps were working.
Lines for check-in at various MGM resorts grew long into the late afternoon and evening Tuesday.
The sportsbooks at MGM Grand and New York-New York took no betting action Tuesday in the respective facilities.
Gary Greeson, 54, checked into the Excalibur on Monday, with plans of checking out on Thursday. He traveled to Las Vegas from Oklahoma City on business.
“It’s irritating to spend money and come to a place like this, and things aren’t working and there is no backup system,” he said. “I tried to order room service and was told I couldn’t since I had to use the app.”
Greeson estimated that more than 200 people were waiting in line to check in to the hotel Monday afternoon. He has tried to purchase over-the-counter medicine at some of the casino shops, but employees say they can’t look up prices and can’t sell him anything unless they have the prices memorized.
He said employees are trying to be helpful, but with most systems being down, it makes it difficult to enjoy his stay.
Though he isn’t staying at an MGM property, Mike Hoffman, 65, who is vacationing in Las Vegas from Charlotte, North Carolina, has been affected by the outage.
While he is staying at Caesars Palace, Hoffman won $15.27 at a slot machine at New York-New York on Tuesday but had to wait at the machine until an employee could come by and grab the ticket and then return with the cash winnings.
“It takes about five minutes longer to cash out, which is inconvenient since you can’t leave the machine,” Hoffman said, but he credited the employee for rounding his $15.27 payout to $16.
Hoffman said he hasn’t had similar issues playing at Caesars and would probably avoid playing at an MGM casino for the rest of his trip. He leaves on Thursday.
Extortion?
Hamerstone, the cybersecurity expert, said it’s unclear whether MGM is being extorted by hackers and declined to speculate on the subject.
“Given how extensive it is, I think there are some indication that it could have been, but it’s really tough to speculate because there are just so many different things it could be,” he said. “You know, it could be ransomware. And what’s interesting is ransomware has really changed, too, because they usually kind of hedge their bets, and they don’t just encrypt (data) and ask for a ransom. They’ll also encrypt your data to shut you down, but they’ll also take the data and threaten to release it.”
The president and CEO of the Las Vegas Convention and Visitors Authority, which markets Las Vegas to the world, sympathized with MGM.
“MGM is busy working through this, and I think they’re doing the best job they can possibly do,” Steve Hill said following Tuesday’s LVCVA board meeting. “It’s really unfortunate, and we’re there to help to the extent that we can. But we’ve really let them work through this.”
An MGM executive, Anton Nicodemus, president and chief operating officer of CityCenter, Aria and Vdara, is vice chairman of the LVCVA board of directors. He didn’t address the issue during the meeting.
Gaming industry analyst Josh Swissman, founding partner of the Las Vegas-based Strategy Organization, said he knew the matter was serious because it affected MGM’s vast empire.
“For them to do something as broad as they did, not only geographically but broad across multiple systems, to the point where they had to issue press releases from a Gmail (account), that to me implies something that is very serious. You don’t turn off your ability to make money and provide enjoyment to guests without it being something that had some level of significant impact.”
MGM’s response
Swissman said company investors will be watching closely to see how MGM responds to the matter.
“The real thing investors and people that focus on the gaming industry ought to be looking at, is how organizations respond in these situations,” he said. “The additional notion of security should be how a company reacts when there’s an assumed breach like that. I think MGM took a noteworthy and large-scale approach to protecting their customers and their data.That, to me, shows how important they took it. That should make people feel good in the long run, that they were willing to forgo revenue.”
Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X. Contact Sean Hemmersmeier at shemmersmeier@reviewjournal.com. Follow @seanhemmers34 on X. Review-Journal staff writers Sabrina Schnur, McKenna Ross, Mick Akers, Brett Clarkson and David Wilson and digital content producer Marvin Clemons contributed to this report.