MGM Resorts International reported a “cybersecurity issue” on Monday that may have impacted its hospitality, gaming and entertainment properties across the United States.
The issue was reported by the publicly traded company Monday and may continue to be affecting it: Some of its websites were down late Monday, and it urged customers to book rooms and request reservations by phone.
Its full impact on reservation systems and casino floors in Las Vegas, the company’s base, as well as at properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio, was unknown, spokesperson Brian Ahern said.
In a statement Monday evening, the company said the issue was ongoing, but that its casino gaming floors were operational. “We continue to work diligently to resolve this issue,” it said.
Earlier in the day, MGM resorts said that the matter affected “some of the company’s systems” and that law enforcement was notified.
Some MGM systems were shut down to protect data, and the company launched an internal investigation with the help of “leading external cybersecurity experts,” it said.
The FBI in Las Vegas and the Nevada Gaming Control Board did not respond to a request for comment.
MGM lists 19 properties in the United States. Those include some of the most popular resorts in Las Vegas, including Bellagio, Mandalay Bay and Cosmopolitan. It also has properties in China.
Late last year Nevada’s gaming board approved stricter cybersecurity measures, including a three-day window to report any online system breaches.
In July, the U.S. Securities and Exchange Commission adopted a similar rule for large, publicly traded companies. It requires a significant breach to be reported within four business days, but the requirement won’t be in effect until December.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement in July.
South Point Hotel and Casino attorney Barry Lieberman said in a letter to the Nevada board that some of its measures, yet to be enacted at the time, were not needed.
“Almost all licensees have cybersecurity insurance,” he said in a letter to the executive secretary of the board. “Those insurance companies require the licensees to take steps necessary to prevent cyber attacks.”
Josh Heller, manager of information security engineering at wireless technology company Digi International, said contemporary cyber attacks can rapidly spread throughout a company through a single, official-looking email that prompts an employee to enter their password.
“A simple [phishing] email opened on the corporate network could spread like wildfire,” he said.
Heller suggested artificial intelligence could provide companies with a fast, relatively inexpensive way to alert managers of a breach and “isolate the impact.”
Follow-up questions for an MGM resorts spokesperson went unanswered on Monday.