Sources indicate the FTC has chosen to withdraw its civil investigative demand (CID), which had sought extensive information from MGM regarding the 2023 cyberattack
The Federal Trade Commission (FTC) and MGM Resorts International are on the verge of settling a disagreement about the big cyberattack that hit the company in September 2023. The attack cost about $100 million in damages and messed up MGM’s resort operations for more than a week. The FTC had been looking into this incident.
MGM Expresses Relief as FTC Ends Inquiry Into 2023 Cyberattack
Sources say the FTC has decided to drop its civil investigative demand (CID), which it issued in January 2024, reported The Las Vegas Review-Journal. This CID asked MGM for a wide range of information about the attack. MGM fought back in April by suing the agency saying the demand was too much and did not make sense.
In a statement, MGM expressed relief about the FTC’s decision. The company called the CID an unreasonable attempt to punish them for not giving in to cybercriminals’ demands. MGM had first asked for more time to answer the FTC’s questions but got turned down, which led them to take legal action.
The cyberattack threw MGM’s operations into chaos. Slot machines stopped working, digital room keys did not function, and payment systems broke down. Hotel guests faced big hassles. Staff had to process credit card payments by hand, and the ATMs inside the hotel did not work. On top of that, the company’s phone lines went dead, making the whole situation even worse.
Back then, the FTC claimed its probe aimed to shield customers affected by the attack, given a similar cyberattack on MGM in 2019. The agency also said MGM fell under financial rules because it offered “markers” – interest-free credit to big gamblers.
MGM Accused FTC of Overreach Before Agency Dropped Investigation
MGM sued the FTC, saying the agency had gone too far and breached the company’s Fifth Amendment rights to due process. The company also said FTC Chair Lina Khan should have stepped away from the case. They pointed out she was staying at an MGM hotel during the attack, which they saw as a conflict of interest.
The FTC hit back with its own legal action in June 2024, trying to force MGM to help with the probe. However, now that the FTC has pulled its CID, it is not clear why they changed their mind.
The cyberattack, which cops think was planned by the hacker group Scattered Spider, brought big legal and financial troubles for MGM. Police nabbed a teen in the UK linked to the attack but later let them go on bail.
The hack led to several class-action lawsuits from customers, and MGM has already settled at least two of them. The company will pay out $45 million to people affected by the breach, with each person getting $50 to $75 based on what kind of personal information was exposed. On top of that, those impacted will receive credit monitoring and protection against identity theft.
Now that MGM is putting these legal issues behind it, the company is turning its attention to beefing up its cyber defenses to stop future attacks from happening.
