MGM and FTC Close to Settling Dispute Over 2023 Cyberattack Probe

Sources indicate the FTC has chosen to withdraw its civil investigative demand (CID), which had sought extensive information from MGM regarding the 2023 cyberattackImage Source: Shutterstock.com

The Federal Trade Commission (FTC)and MGM Resorts Internationalare on the verge of settling a disagreement about the big cyberattack that hit the company in September 2023. The attack cost about $100 million in damages and messed up MGM’s resort operations for more than a week. The FTC had been looking into this incident.

MGM Expresses Relief as FTC Ends Inquiry Into 2023 Cyberattack

Sources say the FTChas decided to drop its civil investigative demand (CID), which it issued in January 2024, reported The Las Vegas Review-Journal. This CIDasked MGM for a wide range of information about the attack. MGMfought back in April by suing the agency saying the demand was too much and did not make sense.

In a statement, MGM expressed reliefabout the FTC’s decision. The company called the CID an unreasonable attemptto punish them for not giving in to cybercriminals’ demands. MGM had first asked for more time to answer the FTC’s questions but got turned down, which led them to ngake legal action.

The cyberattack threw MGM’s operations into chaos. Slot machines stopped working, digital room keys did not function, and payment systems broke down. Hotel guests faced big hassles. Staff had to process credit card payments by hand, and the ATMs inside the hotel did not work. On top of that, the company’s phone lines went dead, making the whole situation even worse.

Back then, the FTCclaimedits probe aimed to shield customers affected by the attack, given a similar cyberattack on MGM in 2019. The agency also said MGM fell under financial rules because it offered “markers” – interest-free credit to big gamblers.

MGM Accused FTC of Overreach Before Agency Dropped Investigation

MGM sued the FTC,saying the agency had gone too far and breached the company’s Fifth Amendment rights to due process. The company also said FTC Chair Lina Khanshould have stepped away from the case. They pointed out she was staying at an MGM hotel during the attack, which they saw as a conflict of interest.

The FTChit back with its own legal actionin June 2024, trying to force MGM to help with the probe. However, now that the FTC has pulled its CID, it is not clear why they changed their mind.

The cyberattack, which cops think was planned by the hacker group Scattered Spider, brought big legal and financial troubles for MGM. Police nabbed a teen in the UK linked to the attack but later let them go on bail.

The hack led to several class-action lawsuits from customers, and MGMhas already settled at least two of them. The company will pay out $45 millionto people affected by the breach, with each person getting $50 to $75 based on what kind of personal information was exposed. On top of that, those impacted will receive credit monitoring and protection against identity theft.

Now that MGM is putting these legal issues behind it, the company is turning its attention to beefing up its cyber defenses to stop future attacks from happening.