Published: September 14, 2023

FBI investigates after MGM’s casinos and hotels hit by ‘cyber incident’

The FBI is investigating a “cyber incident” at MGM Resorts International, as guests at one of the world’s largest casino operators struggled with digital room keys and reservations, and some slot machines remained inoperable.

The company issued a brief statement on X, formerly known as Twitter, blaming the disruption on a “cyber security issue affecting some of the company’s systems”, while many of its websites remained unreachable on Tuesday.

The outages appeared to have affected MGM’s properties not just in Las Vegas, where it runs the Bellagio, Aria, Cosmopolitan and Excalibur casino resorts, among others, but also as far as Atlantic City in New Jersey and Ohio, according to reports on social media from customers being told to seek handwritten receipts for winnings.

On social media, customers complained about problems checking in online, and about some slot machines that appeared off. Gambling on the floors seemed to be continuing, according to others. In a statement to a Las Vegas television channel, MGM said gambling was continuing in “manual mode”.

The FBI said it was looking into the issue, and the company did not respond to emails seeking comment.

A person who answered the phone at the Nevada Gaming Commission said no one was available to handle queries on the issue.

With tens of thousands of hotel rooms and $3.9bn in revenue in the quarter ending June 30, MGM was reaping the benefits of eased covid restrictions in its Macau properties. Its shares have fallen 3.8 per cent since Friday’s close.

Nobody appears to have taken credit for the attack on known dark web forums, but it is not uncommon that it takes days for either a cybercriminal gang to brag about it, or for an affected company’s security response team to attribute it to a specific group. It is also not uncommon for a company facing an isolated cyber incident to protectively turn off larger parts of its network to stop the attack from spreading while it investigates and kicks attackers out of its systems.

MGM, in its statement, said it had “shut down certain systems” to protect its data. MGM has been hacked before — some 10mn customers had their personal information exposed in 2019. Iranian hackers targeted rival Sheldon Adelson’s Las Vegas Sands Corp. in 2014 following comments the pro-Israel Adelson had made about the Islamic Republic’s nuclear program.

© Public Gaming Research Institute. All rights reserved.