MGM Resorts is contending with two class action lawsuits lodged in a U.S. District Court in Nevada, related to a cyberattack it endured earlier this month. The lawsuits, accuse MGM Resorts of negligence and profiting unlawfully due to its failure to safeguard the personal information of its patrons from an alleged social engineering attack.
The claimants argue separately that MGM ought to have been cognizant of the attack risks, citing preceding alerts by Okta of being recurrently subjected to similar assaults, and accuse the company of neglecting necessary steps to defend customer information.
MGM Resorts declared normalcy in hotel and casino operations on Wednesday, following over ten days of disruptions affecting various operational facets including the reservations system and digital room keys. Nonetheless, the company is grappling with residual concerns and has advised guests to be vigilant with their MGM Rewards Mastercard accounts for potential fraudulent activities.
The cyber onslaught on MGM Resorts is attributed to threat groups Scattered Spider and AlphV/BlackCat, who are believed to have collaborated, utilizing one group’s ransomware as a service infrastructure to execute the attacks. AlphV/BlackCat reportedly asserted having achieved superior administrative privileges in MGM Resorts’ Okta and Azure environments and launching ransomware attacks against numerous company hypervisors.
MGM Resorts had previously revealed the cyber incident in a submission to the Securities and Exchange Commission, but has abstained from commenting on the ongoing litigation. The investigation into the incident involves multiple agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency, with Okta assisting in the response but refuting any compromise to its environment.
The Federal Trade Commission has remained silent on any inquiries or complaints it might have received regarding MGM Resorts’ data security protocols. MGM Resorts has a history with cyberattacks, having been a victim in 2019 when hackers pilfered the personal details of over 10.6 million guests.
The Nevada Gaming Control Board, along with Gov. Joe Lombardo, are keeping a close eye on the unfolding situation, especially in the wake of another cyberattack on Caesars Entertainment earlier this month that saw the theft of its rewards member database.
The ongoing cyberattacks highlight the heightened security risks facing the hospitality and entertainment industry, prompting a call for reinforced security mechanisms to protect customer data and corporate information from malicious entities.