While the Caesars ransomware attack may have seemed to be an advertisement for paying ransom demands, the MGM incident looks to be an endorsement for maintaining a good cyber insurance policy despite the cost and hassle. A recent SEC statement indicates that MGM expects a little over $100 million in total cost from the “Scattered Spider” incident, but that most or all of that will be covered.
The company also said that most of that financial damage came from loss of hotel bookings during the extended recovery period, reporting a 5% drop from the amount in September 2022. Though cyber insurance still generally covers business interruption even during this period of extreme market contraction, it is interesting that there appears to have been no exception in the policy in this case even though guests were still able to book rooms by phone or in person.
Some details still missing, but MGM says attack is now contained
Weeks of property amenities and computer/app functions remaining offline caused concern, but MGM now says that the attack is fully under control. MGM has indicated that the slow recovery was due less to direct damage from the ransomware, and more from a very quick precautionary shutdown of systems and an extended period required to get them all back online safely.
MGM and primary rival Caesars took opposite approaches in handling the Scattered Spider breaches, with Caesars ultimately negotiating and paying a $15 million ransom. Both will have to live with the ongoing uncertainty of exfiltrated customer data reappearing on the dark web at some point in the future, but thus far it appears that there are only scattered credential stuffing attempts on MGM accounts using passwords likely obtained from prior data breaches.
Caesars confirmed that the attackers stole data from the company loyalty program (“Caesars Rewards”), which included basic contact information along with more limited cases of attached driver’s license, passport or Social Security numbers. MGM has not yet commented on exactly what data was stolen, but it sent out a data breach notification to impacted customers listing the same sort of data. MGM did add that the stolen information is entirely from before March 2019, and that none of it came from the recently-acquired Cosmopolitan resort.
MGM expects full business recovery from ransomware attack by November
MGM says that no financial information was accessed by the hackers, and that it expects only minor business impact in October before it returns to a normal expected level of hotel bookings and revenue in November. Pending any further developments on the cybersecurity front, the company will likely have a much-better-than-usual Q4 thanks to the debut of F1 racing in the city (with the track located very close to its Strip hotels).
The company did not provide a detailed breakdown of the ransomware attack expenses other than to say that most of it was owed to lost hotel bookings, but it did specify that about $10 million went to IT security and recovery costs. The full scope of the negative financial impact is expected to be contained to Q3 2023 with no further issues going forward.