The Federal Trade Commission (FTC) has recently escalated its efforts to get MGM Resorts to cooperate in a cybersecurity investigation, filing a petition in the US District Court in Nevada. This petition seeks to compel MGM Resorts to provide comprehensive responses to an FTC probe into a cyberattack that targeted MGM’s Las Vegas Strip properties in September 2023.
The FTC’s legal action comes in the wake of MGM filing a lawsuit in April 2023 in Washington DC’s Federal Court, where the casino and hospitality giant argued that it is not obligated to comply with the FTC’s Civil Investigation Demand (CID). MGM’s primary contention is that it does not qualify as a financial institution, and therefore, should not be subject to the FTC’s jurisdiction under the CID.
In a further move, MGM requested that FTC chair Lina Khan recuse herself from the investigation, citing her presence at one of MGM’s properties during the time of the cyberattack. MGM expressed concerns over potential bias, as Khan was directly impacted by the attack and had firsthand interactions regarding the aftermath.
The FTC, in its recent court filing in Nevada, has challenged MGM’s stance, arguing that MGM operates within its regulatory purview as an entity that extends credit to customers, thereby fitting the definition of a financial institution. The FTC deemed MGM’s argument as “meritless,” stating clearly, “MGM may argue… that it is not the type of entity subject to the Safeguards Rule and Red Flags Rule and therefore the CID is improper. That argument is meritless. In the first instance, MGM’s jurisdictional objection has no bearing on the CID’s requests for information relevant to unfair or deceptive acts or practices violating Section 5 of the FTC Act, and MGM cannot deny that it is subject to the FTC Act.”
If the court rules in favor of the FTC, MGM Resorts would be given a mere ten days to provide the requested information outlined in the CID. This legal clash stems from a significant cyberattack in September last year, which forced MGM to shut down several systems across its US properties, including impairing access to hotel rooms and slot machines.
. The cyberattack was attributed to the hacker group known as Scattered Spider, which claimed responsibility and threatened further attacks if MGM did not meet its demands for payment.
MGM’s lawsuit filed in April aims for “injunctive and declaratory relief” against the FTC’s actions. The hospitality group claims these actions infringe upon its rights under the due process clause of the Fifth Amendment. This amendment mandates that entities subject to government intervention must be given a fair hearing before an unbiased tribunal, ensuring equitable treatment under the law. MGM’s suit references media reports that claim Khan and a senior aide were staying at an MGM property during the attack, and were reportedly asked to write down their credit card information on paper due to the IT system shutdown. Following this incident, Khan inquired about MGM’s data security measures, and the allegedly uninformed response from the staff member led to the launch of the FTC investigation. On January 25, 2024, the FTC issued the CID to MGM, demanding information from over 100 categories, covering periods before the cyberattack occurred.
MGM has estimated that the cyberattack could reduce its adjusted property EBITDAR for the third quarter by approximately $100 million. Despite this, the company reported record revenues of $3.97 billion in the third quarter. MGM’s CEO Bill Hornbuckle, while presenting the Q3 financial results, remarked that the company “went to hell and back” due to the cyberattack’s repercussions.
In another related incident, Caesars Entertainment also fell victim to a cyberattack in September, with its loyalty program database being compromised. Nicole Solaita, Caesars’ Senior Vice President and Chief Audit Executive, recently noted in a KPMG webinar that cyber threats are becoming the “new norm” in the gaming industry. Reflecting on the profound impact of the Caesars cyberattack, Solaita emphasized the critical importance of employee education and training in cybersecurity, even acknowledging that some cyber incidents have not been particularly sophisticated.
As the FTC pushes forward with its investigation, the unfolding legal battle with MGM Resorts underscores the increasing significance of cybersecurity and regulatory compliance in the hospitality and gaming sectors.
