Last month, both Caesars and MGM were victims of a cyberattack that knocked MGM offline and forced Caesars to pay a whopping $15 million ransom to avoid the same fate. However, both gaming giants saw their databases compromised and customers are filing lawsuits because of it.
Data Breach Blues
MGM Resorts International was the victim of a cyberattack by two shadowy groups named AlphV and Scattered Spider that worked in conjunction to disrupt its systems and breach its database. The company said it would trigger a $100 million loss to its third-quarter earnings report as it continues to restore all of its operations and safeguard against future attacks.
MGM has declined to answer whether or not any ransom had been paid, but contact information, as well as gender, date of birth, and driver’s license numbers, were compromised to those customers who have been customers of MGM before 2019.
“We also believe a more limited number of Social Security numbers and passport numbers were obtained,” they said. “We have no evidence that the criminal actors have used this data to commit identity theft or account fraud.”
On the bright side, MGM said no customer bank account numbers or credit card information was accessed, and its luxury resort hotel, The Cosmopolitan of Las Vegas, was unaffected in any way by the breach.
“Virtually all of the Company’s guest-facing systems have been restored,” the company said.
Caesars Pays Up
Although MGM would not disclose whether or not they paid a ransom, Caesars revealed the hackers initially wanted $30 million but settled for $15 million. Caesars Rewards customers were compromised as the database, which includes their driver’s license numbers and Social Security numbers, was breached for a “significant number of members.”
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in its SEC filing.
Callie Guenther, senior manager of cyber threat research at Critical Start, stated, “Caesars’ more rapid recovery post-ransom might give the impression they made a better decision (than MGM). From a business continuity perspective, their decision to pay might seem effective.”
But Guenther also said, “However, paying a ransom, while providing immediate relief, carries long-term considerations. The speed of their recovery post-payment suggests they had robust backup and restoration processes in place, but it also raises questions about their preventative measures leading up to the attack.”
Both companies have been hit with a combined nine federal lawsuits emanating from the data breaches. The first lawsuit was filed in New Jersey, with the District Court on September 18th, and then four more followed on September 21st, while more were added on September 22, 27, 28, and 29.
The case filed on September 21st, Emily Kirwan v. MGM Resorts International, asserts, “The injuries to Plaintiff and Class members were directly and proximately caused by Defendant’s failure to implement or maintain adequate data security measures. Once [Personal Identifiable Information] is stolen, fraudulent use of that information and damage to victims may continue for years.”
Virginia resident David Lackey was the latest to hand his gripes against Caesars to the U.S. District Court in Nevada. Lackey has been a Caesars Rewards member for 20 years and he is concerned about his information being disclosed. He has also said that he has experienced increased text phishing attacks since the data breach.
OddsTrader will continue to monitor this story and update our readers as events unfold.