MGM Resorts shuts down website, computer systems after 'cybersecurity incident'

MGM Resorts has shut down some of its IT systems following a "cybersecurity incident" that the casino-and-hotel giant says is currently under investigation.

The resort owner issued a statement Monday morning, saying it recently identified something untoward "affecting some of the company's systems."

While MGM didn't specify which parts of its IT environment had been hit — or provide any specific details about the snafu — the MGM Resorts website was down as of Monday afternoon, and a concierge at one of the hotels told The Register that all digital operations are being performed manually because the outage had taken down computer systems across the leisure goliath's empire.

The corp's spokespeople were unable to answer The Register's questions about the situation.

Guests at some of the properties, which include Aria, Bellagio, Luxor, MGM Grand, and Mandalay Bay in Las Vegas, took to social media to report a slew of disruptions affecting ATM and credit card machines, digital room keys, slot machines, and other electronics systems.

"Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts," the MGM statement continued. "We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter."

• Millions of people's info stolen from MGM Resorts dumped on Telegram for free
• We know what you did last summer: MGM's hotel spinoff lost 10.7m guest records and now they're on hacker forums
• Huge DDoS attack against US financial institution thwarted
• Coffee Meets Bagel outage caused by cybercriminals deleting data and files

Remember we're talking about MGM Resorts here: its customer info was previously stolen and sold via cybercrime forums and then dumped on Telegram for free.

Those leaks stemmed from a 2019 security breach during which criminals swiped data belonging to millions of hotel and casino guests, including names, email addresses, phone numbers, addresses, and dates of birth. This reportedly included details about Twitter cofounder Jack Dorsey, pop mega-star Justin Bieber, and US Homeland Security and Transportation Security Administration staff.

While those pilfered records were packaged up and peddled on a dark-web marketplace the following year, in May 2022 someone dumped more than 142 million MGM Resorts customers' data on Telegram for anyone to download at no cost.

MGM Resorts is being sued over the data security breach, which a class action lawsuit [PDF] says affected as many as 200 million people. Travelers whose data was stolen have since faced all manner of identity theft, according to the lawsuit. This, we're told, includes fraudulent credit cards being opened in their names, payments being made from their bank accounts, purchases using their cards that had been on file with MGM resorts, and even a ransomware attack. ®