While MGM’s lawsuit against the Federal Trade Commission and a “60 Minutes” story offered new details, there are still unanswered questions about last year’s cyberattack.

You’ve heard of the gift that keeps on giving.

The cybersecurity incident that pummeled MGM Resorts International in September seems to be the attack that keeps on taking.

The incident lasted 10 days starting Sept. 10 and resulted in an estimated $100 million in lost revenue plus the rebuilding of the company’s IT network — and millions of headaches.

Even after insurance covered much of its losses within months, MGM has discovered that the incident continues to affect Nevada’s largest employer.

The cyberattack resurfaced in the news this past week when the company — a crime victim — filed a lawsuit against the federal government agency responsible for protecting consumers from fraud.

The four-count lawsuit, filed Monday in U.S. District Court for the District of Columbia, seeks an injunction to stop or limit a Federal Trade Commission demand for information about the cyberattack. As of midweek, the FTC had yet to respond to the lawsuit in court and had no public comment about it.

The filing of the lawsuit came a day after “60 Minutes,” the venerable CBS investigative news magazine, aired a report on the MGM cyberattack.

While there were only a few new details about the attack itself in the broadcast, correspondent Bill Whitaker drilled down into the investigation and who was responsible for the attack, which temporarily crippled the Las Vegas company.

The broadcast and the lawsuit filing put a new spotlight on the company, which has nine Strip casino-resorts, five affiliated nongaming properties in Las Vegas and dozens more across the country and around the world.

Most analysts have had little to say about the latest publicity about the company.

“I don’t think any of us realized how long the tail on this was going to be when it first happened last year,” offered Josh Swissman, founding partner and managing director of Las Vegas-based GMA Consulting.

No one is speculating about MGM’s chances for success in its lawsuit, which is centered around the misfortune of FTC Chairwoman Lina Khan and a senior aide being guests at MGM Grand just as the cyberattack was unfolding.

The attack on MGM’s computerized systems resulted in slot machines and ATMs not working or dispensing cash, digital keys not opening hotel room doors, electronic payment systems not accepting credit cards, televisions and telephones not working, elevators and parking lot gates malfunctioning, and long lines at check-in desks and at resort restaurants. When employees admitted to Khan and her aide that they didn’t know how credit card numbers written on pieces of paper were being secured, that information was shared with reporters.

Some of the computer problems actually were created by the company itself as it shut down systems to prevent them from being infiltrated by the hackers.

MGM’s lawsuit against the FTC objects to Khan being a part of the investigation because she personally was affected by the cyberattack when checking in to her hotel while attending a conference. The filing said her participation violates the agency’s own conflict-of-interest rules.

The company also objected to not getting a deadline extended when having to compile more than 100 categories of data for the FTC’s investigation.

Between the court filing and the “60 Minutes” broadcast, a few new nuggets emerged:

-“60 Minutes” reported the hackers sought a ransom of $30 million and, following the recommendation of FBI investigators, the company didn’t pay it. Inszone Insurance Services, which has an office in Las Vegas and has a website detailing implications of the attack, said Caesars Entertainment Inc., which also was attacked last summer, was asked for $30 million, but only paid half that and didn’t suffer any outages. Caesars confirmed that hackers stole its loyalty program database, which included personal information of millions of customers.

-The “60 Minutes” broadcast included an interview with Bryan Vorndran, the head of the FBI’s cyber division, who didn’t speak specifically about the MGM case, but said a domestic group calling itself “Scattered Spider” and a Russian group known as “BlackCat” were likely responsible for the hack. “When we talk about the actors behind some of the more recent ransomware attacks, the name that’s generally raised is Scattered Spider,” he said in the broadcast. “And that’s a criminal group that we have a lot of attention on because of the havoc they’re wreaking across the United States.”

-Others interviewed in the broadcast included Allison Nixon, chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals, and Jon DiMaggio, a former analyst at the National Security Agency, who now investigates ransomware as chief security strategist for the cybersecurity company Analyst1. Nixon said Scattered Spider consists of thousands of hacking experts between the ages of 13 and 25 that invade computer systems for the thrill and the money and are experts at “social engineering” — a technique of convincing a company’s IT gatekeepers of turning over access to the system. DiMaggio said BlackCat, meanwhile, is experienced in negotiating ransoms and planting malware in compromised systems. Together, they team up to hold computer systems hostage for money.

There are still questions to be answered about what happens next in the MGM cyber case.

Will MGM be successful in its lawsuit against the FTC? One of the issues raised by the FTC was that MGM had no guidelines for “Red Flag” and “Safeguard” rules normally reserved for financial institutions. MGM believes the FTC is looking into that because casinos offer “markers” to high-rolling gamblers. MGM explains markers as allowing some gamblers to play on a tab while the FTC sees it as a credit arrangement.

Will casino companies have to change their rules on markers in the future?

The MGM case could bring that — and other issues — to light.

Contact Richard N. Velotta at [email protected] or 702-477-3893. Follow @RickVelotta on X.

The convergence of Olympic curling triumphs, a Canadian fan base and a nonprofit club have laid the groundwork for a new local facility.

Two companies, Z4Poker and MGM Interactive, ask regulators to extend the activation of their licenses a 14th time so that they can enter a lackluster market.

The transition of The Mirage to Hard Rock Las Vegas will generate nostalgic memories, but it’s part of the Las Vegas way of constantly evolving to what’s next.

A legal expert says Fontainebleau’s response to Wynn for poaching employees sounds more like a divorce proceeding than a business lawsuit.

The typical Las Vegas visitor in 2023 was younger than in the past, spent more money, chose different activities over shows — and had a great time while here.

Gaming industry analysts applaud return of IGT to Nevada with $6.2 billion spinoff and merger with Everi Holdings Inc.

Former Nevada Sen. Harry Reid — the same person for whom our airport is named — had a pivotal role in backing high-speed rail instead of an innovative maglev project.

One might think one extra day in the year doesn’t make much difference. But in gaming and tourism, it means an additional millions of dollars spent.

By the time Las Vegas hosts its next Super Bowl, new infrastructure will help make transportation and accommodation better, but the need for another airport looms large.

Without legal sports wagering in California, Vegas sports books continue to prosper for the Super Bowl and another Golden State initiative fails to gain tribal support.

Copyright © Las Vegas Review-Journal, Inc. Privacy Policy Terms of Service