MGM’s action against FTC over the cyberattack

The Federal Trade Commission (FTC) was sued by Las Vegas-based MGM Resorts International to put a stop to an inquiry into how the casino operator handled a cyberattack that targeted its operations.

MGM's Fifth Amendment rights are allegedly violated by the FTC's investigation, according to the lawsuit, which was filed in federal court. The casino operator argues that the FTC is unfairly pursuing the business based on rules that don't apply to its operations.

The company asserts a conflict of interest, claiming that the FTC's independence is compromised by Chairwoman Lina Khan's direct involvement in the cyberattack as a visitor at an MGM facility during the incident. The business further asserts that the FTC's actions violated its Fifth Amendment rights.

MGM's response to the attack, which interfered with the company's IT systems and impacted thousands of visitors and customers, is the focus of the FTC's investigation. Computer systems were shut down for ten days as a result, which caused problems with credit card processing and hotel reservations.

The regulatory agency filed a Civil Investigative Demand (CID) requiring MGM to submit copious amounts of data spanning multiple years. MGM contends that the regulations the FTC mentioned in its complaint—the "Safeguards Rule" and the "Red Flags Rule"—are intended for financial institutions, which MGM does not categorize as, and that this demand is unreasonable and unrelated.

An enormous cyber headache

The names, contact information, and, in certain situations, passport and Social Security numbers of MGM clients were all accessed by an unauthorized third party. MGM, however, insists that no financial information was hacked. Following the intrusion, MGM acted quickly to safeguard its systems and began working with cybersecurity specialists and law enforcement to conduct an investigation.

Last year, hackers targeted more than just MGM. A serious attack was also launched against Caesars Entertainment's loyalty program database, exposing private data such as driver's license and Social Security numbers. Caesars first denied making any agreements, but then admitted that it had paid a $15 million ransom.

An increase in cyberattacks

The increase in cyberattacks in recent years has presented a serious problem to the gaming industry. According to experts, these kinds of attacks are probably going to keep happening, therefore companies should improve their security procedures and be ready for any risks.

According to reports, Scattered Spider, a global hacking gang also known by the nickname UNC3944, was responsible for the attacks on MGM, Caesars, and many other casinos. It first appeared in May 2022, and since then, it has attacked large companies with sophisticated cyberattacks, especially those in the casino and gambling industries.

Scattered Spider uses a variety of techniques, from “social engineering" to taking advantage of security flaws. Although the group's precise composition is still unknown, it is thought to consist of agents from the United States and the United Kingdom who have connections to other cybercriminal organizations.

Subsequently, the Federal Trade Commission’s dispute with MGM Resorts International over providing information about 2023’s costly cyberattack against the company may be coming to a resolution.

The FTC has informed MGM that it intends to drop its civil investigative demand in relation to the September 2023 incident that crippled the company's resort operations for nine days and cost it an estimated $100 million.

FTC Chairman Andrew Ferguson has informed a member of MGM's Washington-based legal team, in a two-paragraph letter, that the federal agency is abandoning its demand.

Damage from cyberattacks

Hundreds of slot machines were rendered inoperable during the cyberattack, visitors were unable to use smartphones to access their rooms, and credit card payment systems were interfered with, resulting in the manual processing of credit card transactions. Additionally, the company's phone system and on-site ATMs were not working.

The FTC requested information in 100 distinct categories over several years when it released its CID in January 2024. MGM thought that a large portion of the requested data had nothing to do with the cyberattack. In an unsuccessful letter, the corporation requested an extension of the deadline. Both sides went to court after the FTC denied the deadline extension.

FTC lawsuit

Because it permits high rollers to wager using "markers," the FTC further stated that it views the casino as a financial institution subject to lending regulations. Markers are easy ways to entice high rollers to play at a certain casino. They are no-interest loans that players are supposed to repay to the casino within 30 days.

When asked to refrain from paying a ransom demanded by the criminals who had attacked MGM's systems, MGM responded to the FTC action by stating that it fully cooperated with federal investigations.

Law enforcement officials think that Scattered Spider, an international criminal organization that has carried out several ransomware assaults on businesses across the globe, was behind the cyberattack.

MGM claims that fifteen consumer class action lawsuits were filed against the company as a result of Khan's experience being made public. MGM agreed to pay $45 million in settlements for two of those class actions, which are anticipated to be formally approved by the court.

Sources:

“MGM Resorts Fights FTC Over Cyberattack Investigation” . Marese O'Hagan. igamingbusiness.com, April 16, 2024.

“FTC, MGM close to solving dispute over costly 2023 cyberattack” , Richard N. Velotta, reviewjournal.com, February 28, 2025.