MGM Resorts officially disclosed a “cybersecurity issue” with the Securities and Exchange Commission in an 8-K filing Wednesday, after taking its systems offline earlier this week.
The hotel and casino company said it has launched an investigation with leading external cybersecurity experts and has contacted law enforcement, based on a press release it issued Tuesday night.
The company said it has taken steps to protect its systems and data, including shutting down certain systems.
The investigation is ongoing, and MGM is working to resolve the matter and will continue to take steps to secure its business operations. The FBI previously told Cybersecurity Dive it was aware of the incident, but would not provide any details due to the ongoing nature.
Moody’s Investors Service called the incident “credit negative” for the company, citing the potential loss of revenue, reputational risk and direct costs for remediation and investigation.
Moody’s also cited research from cybersecurity firm Bitsight, which gave MGM Resorts a grade of “F” for patching cadence.
MGM Resorts includes more than 30 casino and hotel properties in the U.S. and abroad, as well as an extensive sports betting and online casino business. Some of the world’s biggest gaming casinos are part of the portfolio, including Bellagio, Mandalay Bay, MGM Grand, Empire City Casino in Yonkers, New York, and others.
Cybersecurity experts widely consider the incident the result of malicious behavior by an outside actor and a possible ransomware attack.
Hotel and casino guests earlier this week were previously unable to use digital room keys to access their hotel rooms and the hotel was unable to process card payments, access ATM machines and operate slot machines according to multiple social media posts.
The company had said its dining, gaming and entertainment venues were operational, in an update on X, the social media platform formerly known as Twitter, earlier this week.
The incident marks the second major cyber incident in four years, after a 2019 attack resulted in a massive data dump by a threat actor who posted the personal information of about 10.6 million customers online.
The company is facing litigation over that incident and Nevada passed new legislation at the end of 2022, which requires gaming companies to disclose updates on their cybersecurity posture.
Officials from the Nevada Gaming Control Board, which oversees those new cyber disclosures, declined to comment on the MGM Resorts situation.