US casino giant MGM Resorts battles 36-hour outage after cyber attack

Multiple systems at US hotel and casino operator MGM went down in the wake of the incident on 10 September, crippling several of Las Vegas’ most prominent casinos

Alex Scroxton,
Security Editor

Published: 12 Sep 2023 16:45

US leisure and hospitality giant MGM Resorts is battling through an IT outage after a cyber attack forced it to take multiple systems down across its properties, leaving front desk and concierge services to fall back on pen and paper, rendering slot machines on its gaming floors inoperable, and supposedly locking guests out of their rooms.

The incident, which appears to have begun on Sunday 10 September, affected resorts all over the US, including several of the most prominent casinos on the renowned Las Vegas Strip, including the Bellagio, Excalibur, Luxor, Mandalay Bay, the MGM Grand and New York New York.

In a statement posted to X, the website formerly known as Twitter, the organisation said: “MGM Resorts recently identified a cyber security issue affecting some of the company’s systems.

“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cyber security experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”

At the time of writing, MGM’s main website remains inaccessible and the organisation is asking guests to contact it via telephone. The firm said its resorts, including dining, entertainment and gaming services are operational. It also denied suggestions that guests had been locked out of their rooms and suites.

The exact nature of the breach remains undisclosed for the time being – although Nevada has very strict breach reporting laws on its books. The fact that MGM Resorts appears to have pulled multiple systems offline strongly suggests its IT and security teams are trying to contain a ransomware attack.

Ryan McConechy, CTO of Barrier Networks, said that taking systems offline was a routine move at organisations that run large and complex networks, but until MGM provided more information, the exact reason would remain unclear.

“It is very costly move,” said McConechy. “For every minute the gaming floor was down, MGM was losing money. Likewise, with reservations and their websites still being down, the company continues to suffer massive financial losses.

“Understandably, this may be to prevent active attackers pivoting or malware spreading, but when organisations segment their networks effectively, this scale of downtime can usually be avoided,” McConechy told Computer Weekly in emailed comments.

“Organisations must work to segment their assets, so no attacker can ever reach everything at once. This stops the risks of malware spreading and means when incidents do occur, they can be more easily identified and contained without impacting other network areas, which saves significant financial losses caused by downtime,” he added.

Deep-rooted cyber issues

Erfan Shadabi, a cyber security expert at Comforte AG, said the attack spoke to more deep-rooted security issues within the hospitality sector.

“In an era where digital transformation is reshaping the way the tourism industry operates, the reliance on interconnected systems and data-driven processes has never been greater,” he said. “As such, the sector becomes an attractive target for cyber criminals seeking financial gain or to exploit vulnerabilities for malicious purposes.

“The MGM Resorts incident is emblematic of this overarching challenge. Recognising the pivotal role technology plays in enhancing guest experiences, optimising operations, and facilitating global connectivity, the tourism industry must allocate resources to bolster its cyber security posture.”

In a report released last week, Trustwave’s research unit SpiderLabs revealed that 31% of hospitality organisations have reported a data breach, of which 89% have been affected multiple times in the space of a year.

The report outlined some of the cyber security challenges unique to the hospitality sector, such as a seasonal and less sophisticated workforce, constant turnover of users, ‘dirty’ networks open to the public, and physical security issues.

At the same time, the hospitality sector has been embracing new technologies such as the use of generative AI to improve guest experiences, as well as contactless payments, and an increasing reliance on third-party technology services providers, all of which increase risk.

“In an industry where guest satisfaction and reputation are paramount, staying secure while offering cutting-edge technology is a delicate balancing act,” observed Trustwave CISO Kory Daniels.

Read more on Data breach incident management and recovery

Cost-of-living crisis hampers UK remote work