MGM Hackers Waited for Days Before Issuing Their Ransom Demands

MGM Resorts International Chief Executive Officer Bill Hornbuckle chose not pay a ransom to hackers who broke into his casino chain’s computer system because they didn’t ask for money until well after the company discovered the attack.

(Bloomberg) — MGM Resorts International Chief Executive Officer Bill Hornbuckle chose not pay a ransom to hackers who broke into his casino chain’s computer system because they didn’t ask for money until well after the company discovered the attack.

The intruders moved through MGM’s systems for several days before sending a ransom note, Hornbuckle said in an interview Tuesday. The attack was so far along and the company had already begun rebuilding systems that were pulled offline that Hornbuckle chose to not even respond to the hackers.

“I’d love to tell you there was this, you know, ‘a jump on a white horse moment and devil be damned — we’re not paying these bastards,’” Hornbuckle said. “The reality is because we caught this so early and we were on them.”

MGM, the largest owner of casinos on the Las Vegas Strip, estimates the hack began on the evening of Sept. 7. The company tried to shut down systems before the attackers could steal any data, but they ultimately got into the corporate Domain Name System (DNS) layer, which helps run all of a company’s applications and can be used to deploy malware. 

“They had gotten into the arteries to the heart so they could choke things off,” Hornbuckle said. 

Management created a war room that included executives, IT professionals, lawyers and cyber-security consultants. Employees working with guests began operating in manual mode, writing down customers’ names and credit-card info on clipboards at check-in. Slot machine patrons were paid out in cash by attendants rather than via paper vouchers.

It wasn’t until days later that the hackers sent a ransom note. By that point, the attackers were knocking core systems offline, including payroll, purchasing and phones, and a booking system that handles 20,000 reservations a day.

“Literally everything was out,” Hornbuckle said. “They clearly got wind of what we were doing and closed us down in the balance.” 

Scattered Spider, a group of young men based in the US and the UK, is believed by cyber-security experts to have instigated the MGM attack, as well as a similar incursion at rival Caesars Entertainment Inc.

After the MGM attack, Caesars confirmed it paid a ransom to hackers. Hornbuckle said he wasn’t aware of the Caesars breach until after MGM was hit. He declined to disclose the amount of the ransom demand. 

The incident will reduce MGM’s third-quarter earnings by about $100 million and add $10 million to expenses, most of which will be covered by insurance.

“I can only imagine what next year’s bill will be,” Hornbuckle said on a panel Tuesday at the Global Gaming Expo, a trade show in Las Vegas. 

Four weeks in, the casino giant’s systems are fully operational, apart from one server relating to loyalty points, Hornbuckle said. He’s also glad he made the decision not to pay. 

“They’re not hanging over us with our database in their hand or ultimately the keys to the empire,” he said. “And so we feel great about that part.”

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.