103°F
weather icon Clear
Las Vegas, NV
Casinos & Gaming

FTC seeks order forcing MGM to respond to cyberattack probe

Guests wait to check in at the Bellagio on Friday, Sept. 15, 2023, in Las Vegas. MGM Resorts In ...
Guests wait to check in at the Bellagio on Friday, Sept. 15, 2023, in Las Vegas. MGM Resorts International’s Las Vegas properties are experiencing ongoing in turmoil after five days of cybersecurity issues believed to be a cyberattack by hackers. (Ellen Schmidt/Las Vegas Review-Journal) @ellenschmidttt
Impatient guests playing on slot machines at New York-New York Hotel and Casino wait for employ ...
Impatient guests playing on slot machines at New York-New York Hotel and Casino wait for employees to pay them out in cash on Saturday, Sept. 16, 2023, in Las Vegas. MGM Resorts International’s Las Vegas properties continue to experience technological issues in the wake of a cyberattack by hackers. (Las Vegas Review-Journal)
An employee at Bellagio pays out a guest in cash after they win at a slot machine on Saturday, ...
An employee at Bellagio pays out a guest in cash after they win at a slot machine on Saturday, Sept. 16, 2023, in Las Vegas. MGM Resorts International’s Las Vegas properties continue to have technological issues during ongoing cybersecurity issues believed to be due to a cyberattack by hackers. (Daniel Pearson/Las Vegas Review-Journal)
Guests walk into Bellagio on Monday, Sept. 18, 2023, in Las Vegas. MGM Resorts International’ ...
Guests walk into Bellagio on Monday, Sept. 18, 2023, in Las Vegas. MGM Resorts International’s Las Vegas properties continue to have technological issues during ongoing cybersecurity issues believed to be due to a cyberattack by hackers. (Las Vegas Review-Journal)
Bellagio guests outside of the casino on Saturday, Sept. 16, 2023, in Las Vegas. MGM Resorts In ...
Bellagio guests outside of the casino on Saturday, Sept. 16, 2023, in Las Vegas. MGM Resorts International’s Las Vegas properties continue to have technological issues during ongoing cybersecurity issues believed to be due to a cyberattack by hackers. (Las Vegas Review-Journal)
More Stories
Durango Casino & Resort in southwest Las Vegas, Thursday, Nov. 30, 2023. (Rachel Aston/Las ...
Station Casinos moving ahead with Durango expansion
Guests lounge by the pool at The Mirage on Saturday, March 6, 2021, in Las Vegas. (Benjamin Hag ...
What’s happening with Mirage room rates ahead of July closure?
Aria is seen on the Las Vegas Strip, Friday, March 19, 2021. (Chitose Suzuki / Las Vegas Review ...
‘Brief’ Sunday system outage behind lobby lines at some MGM resorts
This is an aerial view of Joker's Wild casino on Boulder Highway and the Cadence housing develo ...
Jokers Wild could grow into Cadence’s neighborhood casino
By / Las Vegas Review-Journal
June 18, 2024 - 4:16 pm
 
Updated June 18, 2024 - 7:12 pm

The Federal Trade Commission has filed a petition in U.S. District Court in Nevada to force MGM Resorts International to respond to an investigative demand for information related to the September cyberattack against the Las Vegas-based resort company.

MGM has refused to respond to the civil investigative demand, known as a CID.

“Judicial enforcement is necessary so that FTC staff may thoroughly and expeditiously conduct its investigation,” the FTC said in its petition. “The FTC respectfully asks this court to issue an order requiring MGM to appear and show cause why it should not comply with the CID and thereafter grant the FTC’s petition and enter an order compelling MGM to produce the documents and information specified in the CID.”

The FTC’s petition says it’s important to investigate because since 2019, MGM has had other publicly reported data security breaches compromising consumers’ personal information, according to the agency, the most recent occurring in September 2023. An earlier breach reportedly occurred in February 2019.

The FTC asks that MGM be required to respond to the CID within 10 days of issuance of the court order it seeks.

The petition is related to MGM’s pending April lawsuit, filed against the FTC and its chairwoman, Lina Khan, in the District of Columbia District Court.

“We’ve worked with federal law enforcement from the outset and followed the government’s guidance by refusing to pay a ransom and reward criminals for their horrendous actions,” an MGM spokesman said Tuesday in response to the FTC’s petition. “The idea that the government would threaten and punish victims for doing so sends a dangerous message that emboldens criminals and threatens national security. Our suit against the FTC to protect our rights under due process is still pending.”

Disqualification sought

MGM is asking that Khan be disqualified from participating in the investigation because she and an aide were guests at the MGM Grand in September when the cyberattack — that cost the company an estimated $100 million — was unfolding.

MGM also has asked the court to declare the FTC’s Rules of Practice with respect to Petitions to Recuse Commissioners unconstitutional and to say the company is not subject to two rules imposed on financial institutions — the so-called “Red Flag Rule” and the “Safeguards Rule.”

The “Red Flag Rule” requires companies to create a written identity theft prevention program designed to identify, detect and respond to “red flags” indicating possible identity theft. The “Safeguards Rule” requires covered companies to develop, implement and maintain an information security program.

The FTC considers MGM subject to those rules because they issue “markers” to high-rolling gamblers. While gambling with markers represents a small percentage of casino play, gaming companies say it’s the equivalent of a gambler playing on a tab and not on credit.

The lawsuit also seeks a reasonable deadline to file the CID if the FTC is allowed to continue its investigation. The company wrote a letter to the agency unsuccessfully seeking a deadline extension because the agency is asking for the production of more than 100 different categories of information spanning multiple years. MGM believes much of the information sought is irrelevant to the cyberattack.

The lawsuit, filed June 14, also seeks reimbursement of court costs and other damages the court identifies.

September cyberattack

The incident began in September when MGM’s computer systems were attacked by hackers believed to be an international group with domestic ties seeking a ransom payment.

At the direction of federal investigators, MGM refused to pay a ransom.

During the incident, hundreds of slot machines were inoperative, guests could not access their rooms with smartphones and credit-card payment systems were disrupted, leading to the manual processing of credit-card transactions.

Among the guests were Khan and an aide, who were in Las Vegas for a conference.

On Sept. 15, Bloomberg reported Khan and the aide questioned the procedures MGM was taking during the cyberattack.

“When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper,” the lawsuit says. “As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn’t know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal.”

Four months later, on Jan. 25, the FTC filed its CID.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.

THE LATEST