MGM Resorts International said in a Friday morning statement (Asia time) that it expects the cybersecurity issue that brought down various systems across its North American operations will have a negative impact of around US$100 million on its Adjusted EBITDAR for the month of September.
The company also confirmed that some customer data was obtained by those who perpetrated the attack, primarily information such as the gender, date of birth and driver’s license numbers of customers who transacted prior to 2019, and for a smaller group of customers Social Security numbers and passport numbers.
As reported by Inside Asian Gaming, the 12 September cyberattack initially impacted MGM’s website and email, but soon saw many slot machines offline at its Las Vegas Strip properties as well as Borgata in Atlantic City and MGM Northfield in Ohio.
There were also reports at the time of ATMs being offline and guests locked out of their hotel rooms because their digital keys are not working, while most transactions across the MGM network were manual and transactions cash only due to credit card machines being offline.
MGM said this morning that it believes the disruption will have a negative impact on its 3Q23 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter.
This includes a US$100 million hit to Adjusted EBITDAR for the month of September, with hotel occupancy falling to 88% for the month compared to 93% in September 2022. The company also incurred nearly US$10 million in one-time expenses in Q3 related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors, it said.
However, “The Company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1. The Company is further forecasting occupancy to be 93% in October (compared to 94% in the prior year period) and to fully rebound in November for the Las Vegas Strip Resorts.”
In relation to data breaches, MGM said it does not believe that customer passwords, bank account numbers or payment card information were obtained, that the attackers accessed The Cosmopolitan of Las Vegas systems or data nor that data obtained has been used for identity theft or account fraud.
It added that, since the attack, “operations at the Company’s domestic properties have returned to normal and virtually all of the Company’s guest-facing systems have been restored. The Company continues to focus on restoring the remaining impacted guest-facing systems and the Company anticipates that these systems will be restored in the coming days.”
MGM Resorts was previously the victim of a cyberattack in 2019 which later saw the personal details of more than 10 million guests published online, including pop singer Justin Bieber.
In a recent note, Moody’s Investors Service said the cybersecurity incident was “credit negative” for MGM and highlights key risks to the business’s operations.