MGM Resorts International, in what appears to have been a major cyber-attack, announced on Monday that it was working with law enforcement and cybersecurity experts to address a “cybersecurity problem affecting some of the Company’s Systems.”
There are reports that the slot machines at MGM’s Bellagio, Aria, and other properties are down and that guests are locked out. Vital Vegas reported a “systemwide failure at Bellagio and possibly other MGM Resorts” – cash payments only in restaurants, no credit cards or room charges, and digital room keys do not work.
— Vital Vegas (@VitalVegas) September 11, 2023
Vital Vegas reported a similar hacking in 2019 where 10,7 million customer records were compromised. Names, addresses, dates of birth, emails, and phone numbers were then shared on Telegram and a hacker’s forum. A class-action lawsuit is currently being filed to determine the amount owed to victims whose identities were exposed in this attack.
Throwback to another time MGM was hacked. https://t.co/VPmmCftigT
— Vital Vegas (@VitalVegas) September 11, 2023
According to Bleeping Computer:
The computer systems at the resorts have been down since Sunday night.
Online reports note that the company has switched to manual operation due to the credit card machines being affected.
MGM Resorts’ main website has also been taken down. Customers can still make reservations by phone “at any of our destinations”.
MGM Rewards customers will also be affected. They have been instructed to contact a Member Services Number between 6 AM and 11:00 PM Pacific Time.
All MGM sites use the same domain as the main MGM website – i.e. The mgmresorts.com website has been down for several hours.
BleepingComputer tested several of them, and all displayed the same message instructing visitors to dial a telephone number. This included MGM National Harbor Casino, Empire City Casino Casino, MGM Springfield Casino, MGM Grand Detroit Casino, Beau Rivage Casino and The Borgata Casino.
8NewsNow reported that guests “couldn’t access their hotel room Sunday night using digital keys.” The guests also said that the credit card machines at hotel restaurants were not working, which made eating in the hotel impossible.
At the time of publication, it’s unclear which systems were shut down intentionally by the company in an attempt to contain the intrusion or which ones resulted directly from the hacking.
MGM’s Las Vegas properties include MGM Grand and Bellagio. Also included are the Cosmopolitan, Aria New York New York, Park MGM Excalibur Luxor Mandalay Bay Delano, and Park MGM Excalibur. Casino also operates resorts in Macau and in China.
This attack follows a major incident that occurred over the weekend with Square, a company that processes transactions for millions of small businesses around the world.
Many businesses report that without the ability to accept credit cards, they have turned away customers because they don’t have the cash. Or, taking a huge risk, writing down the credit card number to be processed later, in the dark, not knowing whether the card would go through. Square’s customer service was closed down despite their customers losing thousands per hour. The voicemail that appears says the line is not available.
Square has said that although the incidents at both companies led to similar outages on a large scale, its problems were not caused by hackers.
The DNS, also known as the Domain Name System (DNS), was affected by the outage. The combination of updates to our internal software caused our systems not to communicate properly with each other. This led to the disruption. This issue affected our internal tools used for support and troubleshooting, which were temporarily unavailable. The outage did not compromise any data of either the seller or buyer.
Last week, there was a cyber attack on a crypto-casino.
The cyber attack targeting the cryptocurrency casino https://t.co/AJiCVxyvkL has resulted in a total damage of $41,300,000.
— Criminal IP (@CriminalIP_US) September 10, 2023
At a blog called The Nimble Nerd, JJ points out that it’s not MGM’s assets that thieves are after: “Who needs poker chips when you can play with personal data?” He added:
Oh, the glitz and glam of Las Vegas! The dazzling lights, the thrilling casino games, and now, a complimentary cyber-incident courtesy of MGM Resorts. Truly, what happens in Vegas, doesn’t always stay in Vegas. Especially when it involves cybercriminals who can’t resist the allure of a jackpot in the form of your personal data. While MGM tries to shuffle its digital deck, we are left wondering if cybersecurity is merely a roll of the dice in the casino of life.
Indeed. While our interconnected world improves the efficiency of business and adds convenience to consumers, it poses a growing danger to the public, and in particular to the stability of our financial systems. Confidence in systems drops when hackers, be they state-sponsored or individuals, are able to take them down and keep them offline for hours or even days. We’ve seen a variety of incidents in recent years, from bank failures to Reddit users shorting GameStop’s stock, to increase the company’s share price, which led to brokerages suspending trades. As this hack of MGM’s systems demonstrates, no company (or government) is too big to be compromised–something that should concern all of us.
You’ll want to bury all your 401k money in your backyard.