MGM resorts hit by alleged ransomware attack

An alleged ransomware attack disrupted systems at MGM resorts starting on September 10, potentially putting sensitive financial and personal information in the hands of malicious actors.

Malware archive vx-underground posted on the night of September 12 that the ALPHV/BlackCat ransomware gang had claimed responsibility for the attack, using social engineering to break into the systems, Cybernews reported.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” vx-underground wrote on the X app. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

Customers began reporting outages the night of Sept. 10. MGM has properties across the country—most notably in Las Vegas, but also in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York, and Ohio—which have been affected by the issue.

The company took its online systems down in the wake of the incident. ABC News reported September 12 that MGM is working with the FBI to manage and investigate the incident.

Protection. Jeremy Snyder, founder and CEO of cybersecurity firm FireTail, told IT Brew that because of the immediate impact on consumers—with ATMs and hotel reservations, for example, being affected—it was likely impossible for MGM to keep the situation under wraps.

“The disclosure and the reporting came out very quickly, and one of the challenges around that happening so quickly is there’s usually not enough time to do the forensics work necessary to figure out exactly what the initial breach factor was, or how long bad actors might have been on their networks,” Snyder said. “It’s too early to know on either of those points.”

Check Point Software Technologies Field CISO Pete Nicoletti told us in an email that he recommended that customers with debit cards attached to MGM accounts ask for their cards to be reissued.

“Of course, if the credit cards are stolen, they’re going to offer credit monitoring. But anybody who’s using a debit card doesn’t have that legal protection,” Nicoletti said. “So, they don’t have the 30-day grace period to look at their statement.”

FireTail’s Snyder told us that consumers have limited ways to protect themselves—especially as some MGM systems are expected to remain down—but there are some common-sense measures you can take. First, make sure your username and password for anything MGM-related aren’t duplicated on any other sites.

“But until their systems come back online, there’s not much that you can do in the way of securing your MGM Rewards account or deleting your MGM Rewards account, because those systems aren’t available,” Snyder said.