80°F
weather icon Mostly Clear
Las Vegas, NV
Casinos & Gaming

FTC, MGM close to solving dispute over costly 2023 cyberattack

The MGM Grand, right, stands amongst other resorts, hotels and casinos on Tuesday, Sept. 12, 20 ...
The MGM Grand, right, stands amongst other resorts, hotels and casinos on Tuesday, Sept. 12, 2023, in Las Vegas. (L.E. Baskow/Las Vegas Review-Journal)
More Stories
The logo of the Nevada Gaming Control Board is shown on video before a meeting on Thursday, Mar ...
Judge rules against gaming regulators on sports event contracts
California woman wins $15M judgment against Strip casino-hotel
North Las Vegas Police investigate a fatal shooting at Aliante Casino Thursday, March 27, 2025. ...
Do gaming regulators investigate when violent crime occurs in casinos?
The Nevada Gaming Commission on April 24 will consider penalties greater than can be imposed by ...
Winner of Nevada horse race tested positive for cocaine
By / Las Vegas Review-Journal
February 28, 2025 - 11:11 am
 
Updated February 28, 2025 - 5:07 pm

The Federal Trade Commission’s dispute with MGM Resorts International over providing information about 2023’s costly cyberattack against the company may be coming to a resolution.

The FTC has told MGM it plans to withdraw its civil investigative demand regarding the incident that cost the company an estimated $100 million and crippled the company’s resort operations for nine days in September 2023.

In a two-paragraph letter Tuesday from FTC Chairman Andrew Ferguson to Brian Boyle, a member of MGM’s Washington-based legal team, the federal agency said it is withdrawing its demand, known as a CID.

A copy of the letter was provided to the Review-Journal by MGM.

The CID, issued Jan. 25, 2024, spurred a lawsuit by MGM against the FTC in April.

“The CID issued by the former chair of the FTC was a dangerous overreach that sought to punish MGM Resorts for refusing to pay cybercriminals,” MGM said in a statement Friday. “We’re pleased that the new chair has withdrawn it.”

Boyle asked the court for a March 21 status report to determine whether the case is moot.

It’s unclear why the FTC reversed course on the CID.

Cyberattack damage

During the cyberattack, hundreds of slot machines were inoperative, guests could not access their rooms with smartphones and credit-card payment systems were disrupted, leading to the manual processing of credit-card transactions. Onsite ATMs and the company’s phone system also were inoperative.

When the FTC issued its CID in January 2024, it sought information in 100 different categories of information spanning multiple years. MGM believed much of the information sought was irrelevant to the cyberattack. The company wrote a letter unsuccessfully seeking a deadline extension. When the FTC refused the deadline extension, both sides took to the courts.

In April, MGM filed a four-count lawsuit in U.S. District Court for the District of Columbia against the FTC and then-Chair Lina Khan, who with an aide was checking in to the MGM Grand while attending a conference at the height of the cyberattack.

The lawsuit sought an injunction to block the CID and claimed the FTC violated MGM’s Fifth Amendment rights to due process, adding that Khan should have been disqualified for conflict of interest as a hotel guest.

MGM alleged the FTC failed to follow its own conflict-of-interest guidelines.

The lawsuit also sought a reasonable deadline to file the CID if the FTC was allowed to continue its investigation.

FTC lawsuit

The FTC in June countered with its own lawsuit against MGM in U.S. District Court in Nevada. In it, the FTC asked the court to compel MGM to respond to the investigation, saying the government agency represented consumers affected by the cyberattack in 2023 and an earlier attack in February 2019.

The FTC also said it considers the casino to be a financial institution subject to lending rules because it allows high-rollers to gamble with “markers.”

Markers are no-interest loans that gamblers are expected to pay back to the casino within 30 days and are used as a convenient incentive to high-rollers to play at a specific casino.

While gambling with markers represents a small percentage of casino play, gaming companies say it’s the equivalent of a gambler playing on a tab and not on credit.

In response to the FTC lawsuit, MGM said it cooperated fully with federal investigators who urged the company not to pay a ransom sought by criminals who attacked MGM’s systems.

In July, British law enforcement authorities working with the FBI arrested a teenage boy in connection with the attack. The unidentified teen was released on bond after being apprehended by the Regional Organised Crime Unit for the West Midlands in Wallsal, a small city in central England.

Law enforcement authorities believe the cyberattack was organized by Scattered Spider, a multinational crime group responsible for a number of ransomware attacks on companies worldwide.

MGM says the publicity of Khan’s experience triggered 15 consumer class action lawsuits against MGM.

Two of those class actions were settled in January and are expected to be formally approved by the court in June with MGM agreeing to pay $45 million.

Under terms of what is called a “global settlement,” class members whose Social Security numbers or military identification numbers were exposed are eligible for a $75 cash payment while those whose passport number or driver’s license were exposed are eligible for $50. In addition, all settlement class members may get identity theft protection and credit monitoring.

Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X

MOST READ
LISTEN TO THE TOP FIVE HERE
In case you missed it
Don't miss the big stories. Like us on Facebook.
THE LATEST
MORE STORIES