MGM Resorts International reported a “cybersecurity issue” Monday that may have affected its hospitality, gaming and entertainment properties across the U.S.
The issue may still be affecting the publicly traded company: Some of its websites were down late Monday, and it urged customers to book rooms and request reservations by phone.
Several major hotels in Las Vegas, including the Bellagio, were left with faulty door locks, inoperable slot machines and other problems Monday after hotel officials said they were hit with a cyberattack.
The FBI said it is investigating the attack on MGM Resorts International hotels, which happened early Monday morning. The company said, “it took prompt action to protect our system and data, including shutting down certain systems.”
“Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter,” MGM said in a post on X, formerly known as Twitter.
Its full impact on reservation systems and casino floors in Las Vegas, the company’s base, as well as at properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio, was unknown, spokesperson Brian Ahern said.
In a statement Monday evening, the company said that the issue was ongoing but that its casino gaming floors were operational. “We continue to work diligently to resolve this issue,” it said.
Earlier in the day, MGM resorts said that the matter affected “some of the company’s systems” and that law enforcement had been notified.
Some MGM systems were shut down to protect data, and the company launched an internal investigation with the help of “leading external cybersecurity experts,” it said.
The FBI in Las Vegas and the Nevada Gaming Control Board did not respond to requests for comment.
MGM lists 19 properties in the U.S. They include some of the most popular resorts in Las Vegas, including the Bellagio, Mandalay Bay and the Cosmopolitan. It also has properties in China.
Late last year Nevada’s gaming board approved stricter cybersecurity measures, including a three-day window to report any online system breaches.
In July, the Securities and Exchange Commission adopted a similar rule for large, publicly traded companies. It requires a significant breach to be reported within four business days, but the requirement won’t be in effect until December.
Casino and lodging operator MGM Resorts
shut down a number of its computer systems including its website in response to a “cybersecurity issue,” the company said in a social media post Monday.
The initial shutdown impacted nearly every aspect of the casino operator’s business. Reservation systems, booking systems, hotel electronic key card systems, and the casino floors were all apparently impacted by the outage.
The company’s email systems were also apparently taken down in response to the cybersecurity issue, and have not yet come back online.
The company said that as of Monday evening, their casino floors were back online. But the reservation systems that power their thousands of hotel rooms and the booking system that controls reservations for their restaurants are apparently still down, more than a day after the first reports of the incident began to circulate.
MGM operates thousands of hotel rooms across Las Vegas and the United States. Revenue from their hotel rooms in Las Vegas outstrips the revenue directly attributed to their casino operations, according to SEC filings. The company reported Las Vegas rooms revenue of $706.7 million for the quarter ended June 30, compared to casino revenue of $492.2 million for the same period.
“We quickly began an investigation with assistance from leading external cybersecurity experts,” MGM said in a post on X, formerly known as Twitter. “We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”
The FBI confirmed that it was aware of the “ongoing” incident but did not provide further information.
MGM shares closed down nearly 2.4% on Monday.
MGM’s website has been replaced by a landing page advising that patrons contact their hotels or casinos directly via phone. It wasn’t immediately clear when the outage started, although some users on social media reported that MGM’s systems were down as early as Sunday night.
The company has had cybersecurity incidents in the past. In 2020, the personal details of more than 10 million MGM visitors were published on a hacking forum. The information was exfiltrated in the summer of 2019, the company said at the time.
The scope of the government response, beyond the FBI involvement, was not immediately clear. The government identified the “commercial facilities sector,” which includes gaming and lodging, as critical infrastructure in 2003.
“A large communications failure or intentional cyberattack could substantially disrupt payments and basic operations, compromise customer and company data privacy, threaten company integrity and reputation, and create large legal and economic burdens,” the Department of Homeland Security warned in a 2015 sector-specific plan.
At midday on Monday, the websites for all MGM Resorts International locations were offline. For those needing to contact the locations, a website with phone numbers for each resort was available.
Many slot machines were non-functional at MGM Resorts property Aria at midday on Monday.
8 News Now spoke with visitors at the Aria casino who voiced some frustration.
“As soon as I tried to put this ticket in it wouldn’t take it,” Lakaisa Bryant said. “Right now we are just sitting around trying to figure things out.”
MGM Resorts has shut down some of its systems as a result of a “cybersecurity issue,” according to a company social media post on Monday.
“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts,” the company said on X, formerly known as Twitter.
MGM Resorts (MGM) says it’s working with law enforcement and “took prompt action to protect our systems and data, including shutting down certain systems.”