Full Report
The Federal Trade Commission (FTC) shuttered its case against MGM Resorts International centered on the company’s handling of personal data stolen during a 2023 ransomware attack.
Analysis Summary
# Incident Report: FTC Closes Investigation into MGM Resorts 2023 Ransomware Attack
## Executive Summary
MGM Resorts International suffered a significant ransomware attack in September 2023, severely disrupting resort operations, including payments and digital systems, and resulting in the compromise of customer and employee data. The subsequent regulatory fallout saw the Federal Trade Commission (FTC) launch an investigation, which MGM disputed until the FTC officially withdrew its Civil Investigative Demand (CID) and terminated related litigation in February 2024, rendering the enforcement actions moot.
## Incident Details
- Discovery Date: After September 2023 (Attack took place in September 2023)
- Incident Date: September 2023
- Affected Organization: MGM Resorts International
- Sector: Hospitality/Gaming/Casinos
- Geography: Las Vegas, Nevada (Implied, as hotels like Bellagio, Aria are mentioned)
## Timeline of Events
### Initial Access
- Date/Time: September 20, 2023 (Approximate start date based on known attack timeline)
- Vector: Ransomware attack. (Specific initial vector not detailed, but attributed to hackers connected to BlackCat/Alphv).
- Details: Attackers deployed ransomware that brought down digital systems managing casinos and hotels.
### Lateral Movement
- *Not explicitly detailed in the summary regarding internal movement, but the scope implies broad network access.*
### Data Exfiltration/Impact
- Data compromised included customer data, employee data, and business information.
- Operational Impact: Hotels could not accept credit cards; staff resorted to manual calculations for slot machine wins/losses; guests faced housing disruptions.
### Detection & Response
- Detection: The scope of the system compromises indicated a successful external intrusion.
- Response actions: The company suffered significant financial loss ($100 million) and later agreed to pay $45 million to settle class-action lawsuits related to this and a prior breach. The immediate response involved operational workarounds for critical systems (e.g., manual processing).
## Attack Methodology
- Initial Access: Ransomware deployment (Initial vector likely related to social engineering or exploitation, though not specified).
- Persistence: *Not explicitly detailed.*
- Privilege Escalation: *Not explicitly detailed.*
- Defense Evasion: *Not explicitly detailed.*
- Credential Access: *Not explicitly detailed.*
- Discovery: *Not explicitly detailed.*
- Lateral Movement: *Implied broad system compromise.*
- Collection: Customer, employee, and business information gathered.
- Exfiltration: Data stolen or held for ransom (implied by ransomware context).
- Impact: Major operational disruption and data loss.
## Impact Assessment
- Financial: Lost approximately **$100 million** due to the incident. Separately, agreed to pay **$45 million** to settle class-action lawsuits related to the 2023 attack and a 2019 breach.
- Data Breach: Over **37 million** customer records were involved across the 2019 and 2023 incidents, including customer/employee data and business information.
- Operational: Severe disruption to credit card processing, slot management, and overall property management systems across hotels (Mandalay Bay, Bellagio, Aria).
- Reputational: Significant media coverage and subsequent legal/regulatory scrutiny by the FTC.
## Indicators of Compromise
- Network indicators: *Not detailed/defanged.*
- File indicators: *Not detailed.*
- Behavioral indicators: Deployment of ransomware linked to the BlackCat/Alphv associated group.
## Response Actions
- Containment: *Immediate containment actions are implied by stopping the spread, though not detailed.*
- Eradication: *Not detailed.*
- Recovery: Efforts to restore or bypass critical digital systems to return to manual operations temporarily.
- Legal/Regulatory Response: Fought an FTC Civil Investigative Demand (CID) for months, challenging jurisdiction and demanding recusal; ultimately, the FTC withdrew the CID.
## Lessons Learned
- Regulatory Friction: Significant organizational resources were devoted to fighting a regulatory demand (FTC CID) following the incident, rather than solely focusing on remediation and compliance.
- Data Scope: The attack affected a very large volume of customer and employee data (37 million records involved across recent incidents).
- Third-Party Involvement: The attack was attributed to threat actors associated with the BlackCat/Alphv ransomware gang.
## Recommendations
- Enhance security controls targeting initial access points utilized by ransomware groups like BlackCat/Alphv.
- Ensure robust internal documentation and compliance readiness to expedite regulatory investigations efficiently when responding to major security incidents.
- Review and strengthen data protection safeguards to mitigate the impact of large-scale customer and employee data exposure.