MGM Investigated by Federal Trade Commission Over 2023 Cyberattack 

During the fallout of the 2023 ten-day cyberattack against the largest U.S. gambling operator, MGM Resorts International, some minor details somewhat escaped widespread attention.

One of those was that Federal Trade Commission (FTC) Chairwoman Lina Khan was on a visit to Las Vegas during the September attack.

She was supposed to be staying at the MGM Grand. Her experience sparked first-hand FTC interest in the case, which turned out to be one of the biggest and most significant cyberattacks on a U.S. company in recent years. 

During her visit, Khan was asked to put down credit card information for her MGM Grand stay via pen and paper. This may have been unavoidable, given the cyber outage. However, Khan was reportedly unimpressed with the response when she questioned staff about data regulations.

Six months later, and the FTC has a pivotal decision to make in its investigation.

In January, the FTC obtained a Civil Investigative Demand (CID) against MGM. In later February, the gambling operator moved to dismiss the CID, claiming it asked for far more information than was pertinent to the stated scope of the FTC’s investigation. However, full reports on the matter were only brought to light this week in the media.

The Attack

Between September 10 and September 20, 2023, MGM Resorts International suffered a massive cyberattack. The culprits were allegedly hacking group Scattered Spider.

The attack locked MGM employees out of nearly all of its IT services for several days. That included slot machines, booking systems, room key cards, banking, the rewards program, and almost every other aspect of all its casino and hospitality operations across the U.S. 

It refused to pay the ransom demands of the hackers. Eventually, MGM execs said that the decision cost it $100 million in business disruptions over the 10-day period.

It was later revealed that a week earlier, rival Las Vegas Strip operator Caesars was the victim of a similar attack. 

However, Caesars paid up the attackers demands in order to get their system back online. It cost them a fee reportedly between $15 million and $30 million. 

The Investigation and MGM’s Response 

Among the tens of thousands of MGM Resorts’ customers disrupted by the attack was FTC-head Khan. 

Because of the tech outages, the regulatory head was forced to write down her credit card information on a piece of paper at the front desk of the MGM Grand during her visit. 

She asked the customer service rep about data security protocols under such circumstances. Reportedly, the MGM rep merely shrugged and gave no answer. 

There is no suggestion that the FTC’s investigation was conducted solely because of this coincidence. However, it cannot have helped in the matter for MGM. 

In January, the FTC compiled its CID and sent it to MGM. It requested years worth of documents relating to cyber and data security. 

In February, MGM replied with a legal request to quash the CID. It said that the requested information was difficult to compile. Moreover, lawyers said they believe that the investigation’s demands exceed the regulator’s powers. 

“The CID calls for the production of more than one hundred different categories of information, spans multiple years with no relevance to the attack, and perhaps most problematic of all, represents an unprecedented attempt by Staff to invoke the Safe Guards Rule and the Red Flags Rule, which do not apply to MGM’s operations,” said the legal filing from lawyers DLA Piper LLP on behalf of MGM Resorts International. 

“For these reasons, and despite MGM’s attempts to informally resolve these issues with Staff, MGM was left with no choice but to file this Petition to Quash or Limit.”

The Federal Trade Commission is still considering this petition, with no time frame set for a decision.

© Copyright 2024 -