MGM Resorts International reported a “cybersecurity issue” on Monday that may have impacted its hotel, gaming and entertainment properties across the United States
The issue may still be affecting the listed company: Some of its websites were unavailable late Monday and the company urged customers to book rooms and request reservations by phone.
The full impact on reservation systems and casino floors in Las Vegas, the company’s headquarters, as well as properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio is unknown, spokesman Brian Ahern said.
In a statement on Monday evening, the company said the issue was ongoing but that the casino’s arcades were operational. “We continue to work diligently to resolve this issue,” it said.
Earlier in the day, MGM Resorts said the matter affected “some of the company’s systems” and that law enforcement had been notified.
Some MGM systems were shut down to protect data, and the company launched an internal investigation with the help of “leading outside cybersecurity experts,” it said.
The FBI in Las Vegas and the Nevada Gaming Control Board did not respond to requests for comment.
MGM lists 19 hotels in the United States. These include some of Las Vegas’ most popular resorts, including the Bellagio, Mandalay Bay and the Cosmopolitan. It also has properties in China.
Late last year, the Nevada Gaming Board approved stricter cybersecurity measures, including a three-day deadline for reporting online system violations.
In July, the Securities and Exchange Commission passed a similar rule for large, publicly traded companies. It requires a significant breach to be reported within four business days, but the requirement doesn’t take effect until December.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — can matter to investors,” SEC Chairman Gary Gensler said in a statement in July.
South Point Hotel and Casino attorney Barry Lieberman said in a letter to the Nevada board that some of its actions, which had yet to be implemented at the time, were not necessary.
“Almost all licensees have cybersecurity insurance,” he said in a letter to the board’s executive director. “These insurance companies require licensees to take necessary measures to prevent cyber attacks.”
Josh Heller, manager of information security technology at mobile phone company Digi International, said modern cyberattacks can spread quickly through organizations through isolated, official-looking emails asking employees to enter their passwords.
“A simple one [phishing] Emails opened on the corporate network could spread like wildfire,” he said.
Heller suggested that artificial intelligence could provide companies with a quick and relatively inexpensive way to alert managers to violations and “isolate the impact.”
Follow-up questions to an MGM Resorts spokesman remained unanswered Monday.