‘Corporate terrorism at its finest’: MGM Resorts CEO on cyberattack
Updated October 10, 2023 - 4:10 pm
MGM Resorts International CEO Bill Hornbuckle gave new details about the September cyberattack that crippled his company for nine days and said it would emerge stronger than ever.
Hornbuckle, appearing Tuesday as a keynote speaker on the second day of the Global Gaming Expo, responded to questions from CNBC anchor Contessa Brewer and said next month’s Formula One Las Vegas Grand Prix would be the biggest special event in the city’s history.
“Look, it’s corporate terrorism at its finest,” Hornbuckle told a crowd of around 1,000 gathered in a ballroom at The Venetian for the convention. “You don’t wish this on anybody. It happened to hit us. It was partially socially engineered. And for the couple of weeks to our company, it was devastating.
“We saw it early, so we had good indicators on the ground. By day two, we knew they were there. We reacted quickly to protect data. And so you saw us shutting down systems by our own design. What ended up happening is criminals literally understood what was happening and they shut the balance of it down for us. We found ourselves in an environment where for the next four or five days, with 36,000 hotel rooms and some regional properties, we were completely in the dark. I mean, literally the telephones, the casino system, the hotel system, the key system, and I could go on and on and on, were not functioning.”
The Sept. 10 cyberattack took down computer systems and crippled operations from the MGM app enabling guests to enter their hotel rooms to slot machine payouts and company email.
Ransom wasn’t paid
Hornbuckle affirmed that MGM did not pay a ransomware demand to the attackers.
“We did not pay ransom, not that that’s the defining moment in one of these things,” Hornbuckle said. “I know people say don’t pay ransom. But the way this came at us and the velocity at which it came at us, we reacted quickly. We protected data. We find ourselves now a couple weeks into this thing fully functioning. We have all our commercial systems back. This is probably going to cost us in the range of $100 million. It is covered by cyber insurance, thankfully. I can only imagine what next year’s bill will be. And so moving forward, it’s about reinvestment into infrastructure, people, and processes.”
Asked about the decision-making process of whether to pay the ransom demand, Hornbuckle said it was a tactical decision.
“It took us (until day three) to figure out how to get out of it as we thought they would tell us what to do to get out of it. And so it was a decision of, no, we shouldn’t be paying a ransom. It’s going to take us as long to figure this out anyway, even if they gave us the encryption keys. And so let’s just move forward and put ourselves when we get through this in a much different and better place.”
Hornbuckle said one of MGM’s two call centers – the technology crew – was where hackers social engineered themselves into the company’s system.
“We have a call center that’s for ‘my machine is broken,’ and then we have a tech call center, which is for the technical crew. That’s the layer that got engineered. And so how that process works going forward needs to be rethought and it’s been done, has been and will continue to be. That’s the key lesson.
“At the end of the day, you’re trying to understand a customer and it’s totally worth it. So all that leads to a central place, all by design. But the way that you structure your environment, in terms of pillars, keeping them, if they get into one, they don’t get into all, is critical architecture,” he said.
Hack didn’t reach credit cards
Hornbuckle said he believes the hackers never reached customers’ credit card information.
“Look, it makes it more complicated, but in our example, one of the things we were able to protect was banking information, credit card information, nothing got out,” he said. “And so even despite the scale of the hack that we had, that kind of information didn’t get out.”
The cyberattack wasn’t the only thing on Hornbuckle’s mind at the G2E convention. He addressed the F1 event, the Culinary Union’s threat of a strike, Macao’s rebound and growth opportunities for the company in the United Arab Emirates and New York.
“It will be the single largest event Las Vegas has ever seen,” Hornbuckle said of F1. “Our ADRs (average daily room rates), particularly in our premium properties, are up about 400 percent. We have looked at front money and credit, which is the measure we have going into any event, and it is two times the biggest fight we’ve ever had. (Manny) Pacquiao-(Floyd) Mayweather, a couple of years back, was the biggest event we ever had. Going into it with four or five weeks to go, it is the biggest event we’ve ever seen.”
“But when you have a fight, you don’t have to cut down your trees,” Brewer told Hornbuckle, a reference to MGM removing trees from the front of Bellagio to producer better sightlines for F1 fans watching the race from grandstands being built atop the lake at Bellagio.
“Oh, you’re killing me,” he said. “No, you don’t have to cut down your trees. We have additional trees that will go in pots that we are going to bring back. I promise you, I promise. I’ve gotten so beat up on this on social media.”
Culinary negotiations
Hornbuckle said it will be important for the Culinary Union and resort properties to seek out long-term solutions.
“We’ve had a relationship with the Culinary in this town for the entire time our company’s existed. The last major strike we did in Las Vegas was 1984, so it’s been 39 years,” he said.
“Obviously there’s a great deal of pressure. If you look at what’s happened to our workforce here, and it’s kind of interesting, it’s divergent. There are those that are tipped and then non-tipped. And what’s happening, if you’re a tipped employee in today’s environment in Las Vegas, particularly with the rise in pricing, you’re doing better than you’ve ever done.
“If you’re a non-tipped employee and you think about COVID and you think about some of the work rules that have been put in play and what the consumer now wants, 40 percent of the consumers don’t want their room cleaned, which means if you’re a guest-room attendant, you’re getting nothing but checkouts to do. So there’s added pressure on that. And so we understand that. We need to adapt to that.
“Myself and the other CEOs in town are engaged at the highest level with the union. I’d like to think and hope to believe that we will get to a satisfactory place over the coming weeks.
“I think what’s important is to end up in a rational place for both them and us, because it’s got to be about the long term. We can’t do something that’s irrational, and we won’t. And so we’re thinking about it longer term, and we’ll see where we end up.”
Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.