MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks

LAS VEGAS — MGM Resorts brought to an end a 10-day computer shutdown prompted by efforts to shield from a cyberattack data including hotel reservations and credit card processing, the casino giant said Wednesday, as analysts and academics measured the effects of the event.

“We are pleased that all of our hotels and casinos are operating normally,” the Las Vegas-based company posted on X, the platform formerly known as Twitter. It reported last week that the attack was detected Sept. 10.

Rival casino owner Caesars Entertainment also disclosed last week to federal regulators that it was hit by a cyberattack Sept. 7. It said that its casino and online operations were not disrupted but it could not guarantee that personal information about tens of millions of customers, including driver’s licenses and Social Security numbers of loyalty rewards members, had not been compromised.

Caesars, based in Reno, is widely reported to have paid $15 million of a $30 million ransom sought by a group called Scattered Spider for a promise to secure the data.

Details about the extent of the MGM breach were not immediately disclosed, including the kind of information that may have been compromised and how much it cost the company.

Gregory Moody, professor and director of the cybersecurity program at the University of Nevada, Las Vegas, pointed to quoted estimates that the computer shutdown cost the company up to $8 million per day, which could put the cumulative effect at $80 million. But Moody also noted that MGM Resorts reports annual revenues above $14 billion, which would mean it averages at least $270 million in revenues per week.

The company reported Wednesday that systems handling resort services, dining, entertainment, pools and spas were operational and its website and app were taking dining and spa reservations while the company worked to restore hotel booking and loyalty reward functions.

“MGM Resorts properties in Las Vegas and throughout the country are back to normal operations,” spokesman Brian Ahern told The Associated Press. MGM also has properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio.

FBI spokeswoman Sandra Breault in Las Vegas declined to comment and referred to a previous statement by the agency saying an investigation was ongoing.

Experts said the attacks exposed critical cybersecurity weaknesses at MGM and Caesars and shattered an image of casino invulnerability.

“At this point, all casinos should be moving to the highest defensive posture possible and taking active measures to verify the integrity of their systems and environment, and reviewing — if not activating — their incident response processes,” said Christopher Budd, a director of threat research at cybersecurity firm Sophos X-Ops.

Caesars Entertainment is the largest casino owner in the world, with more than 65 million rewards members and properties in 18 states and Canada under the Caesars, Harrah’s, Horseshoe and Eldorado brands.