The MGM and Caesars Entertainment Cyberattacks

Nearly two and a half years have passed since Colonial Pipeline put ransomware into the headlines. Since then, ransomware has ebbed and flowed, but high-profile companies continue to fall prey to cybercrime threat actors, with no end in sight. In a stark reflection of this reality, two behemoth Las Vegas-based casinos—MGM and Caesars Entertainment—became the latest targets, though with one key factor making a difference in the aftermath. 

Both attacks reportedly occurred almost simultaneously. MGM was the first to be visibly affected, with operational issues involving slot machines, reservations, and hotel key cards on Sunday, September 10th. Later that week, on Thursday, September 14th, Caesars Entertainment reported that they also had been the victims of a cyber attack, beginning on September 7th. 

As required by new rules established this year, both MGM and Caesars reported the attacks to the SEC in 8-K filings, on September 13th and September 14th, respectively. 

The filings were significantly different: MGM’s report was a single paragraph and contained few details about the extent of the incident. Caesars' filing was more robust; it described:

• The root point of compromise of its network
• The extent of personal information that had been compromised
• The impact of the incident on Caesars' business operations, and its materiality to their financial condition
• The focus of their ongoing response to the attack

Both companies are already the target of shareholder class action lawsuits; those proceedings will certainly draw the attention of those curious about how the SEC will enforce their recently-issued reporting requirements.

The threat actors likely responsible for these attacks are the Scattered Spider hacking group. Scattered Spider is a subset, or affiliate, of the more recognized AlphV, a ransomware threat actor group that has been around since 2021. AlphV is notorious for its attacks on Reddit and MKS Instruments, with the latter costing that business a staggering $200 million in sales. 

According to reports, Scattered Spider used similar tactics to exploit both companies’ networks, using social engineering to trick IT help desk employees, then gaining access through Okta’s access management product. 

Scattered Spider demanded a ransom payment from both MGM and Caesars, in order to restore their systems and suppress the leakage of stolen sensitive information. Caesars is reported to have paid ($15 million out of the original $30 million demand) for the hackers to delete the data that they collected. According to AlphV, MGM did not engage in negotiations at all. This difference makes for an interesting comparison.

Primarily, the organizations are in the same industries combining a casino with a hotel and resort. On a business level, MGM (NYSE: MGM) and Caesars (NYSE: CZR) are remarkably similar; both are global casino resort operators whose main market is Las Vegas. MGM and CZR have similar stock market capitalizations; before the attacks became public on September 9-10, MGM was valued at $15.2 billion, and CZR had a $11.7 billion valuation. Both pull in several billion annually in revenue ($13 billion for MGM, $10.8 billion for Caesars), and the two organizations are also about the same size (with MGM including 57,000 employees and 49,000 employees). Both companies have similar headcounts (57,000 employees for MGM; 49,000 for Caesars), annual revenues ($13 billion for MGM; $11.7 billion for Caesars), and EBITDA ($3.4 billion for MGM; $3.3b for Caesars). 

Because of the attack, MGM was forced to shut down their computers for 10 days, which may have cost them anywhere from $80 million to $270 million. MGM’s average daily winnings from its slot machines alone is over $12 million per day.

Although it isn’t clear that Caesars faced a choice between making a ransom payment and shuttering its operations for 10 days like MGM did,  spending $15 million to prevent a similar outage looks like a rational, if unfortunate, decision.

Worse, both companies' stocks have taken a beating since the attacks became public. This stands in contrast to a recent report suggesting cyber incidents had not previously impacted public equity valuations. As of Thursday’s (September 21, 2023) close, CZR had shed over $1.5 billion in shareholder equity; MGM lost over $2.2 billion.

Stock market performance of MGM and CZR vs. Gaming Index (BJK) since attacks became public. Teal: VanEck Gaming ETF; Orange: Caesars; Blue: MGM

Both companies' reputations suffered from negative press, but, again, MGM seems to have taken the larger hit. Their case has spurred more Google searches, with their data breach creating worries about leaked confidential information. That isn’t to say that Caesars has escaped with their reputation unscathed - the company disclosed that the hackers copied from a loyalty-rewards database that included social security numbers and driver's licenses. 

Many questions still remain in the aftermath of these attacks: What will the long-term impact be on MGM and Caesars? (How) did Las Vegas Sands and Wynn Resorts keep Scattered Spider at bay? Will these events be (yet) another watershed moment for cybercrime, cyber regulations, and law enforcement? 

For now, the lessons that stand out are all in the differences between MGM's and Caesars' responses in the immediate aftermath of the attacks: Caesars paid the ransom, while MGM ignored the threat actors. MGM lost 10 days of business; Caesars was able to maintain its operations. Caesars reported thoroughly while MGM kept things close to the vest. So far, at least, Caesars seems to be ahead in the courts of public opinion and the stock market. Stay tuned to Digital Asset Redemption to see how this strange ransomware experiment plays out!