he filing also details some of the business impacts of the incident. While MGM believes the incident will have a material effect on its yearly results, hotel occupancy was down from 93 per cent to 88 per cent in September as a result of the ransomware attack, while for October, occupancy is expected to be just a single percentile down from its usual 94 per cent rate. MGM has also confirmed that some customer data was compromised. While the company does not believe financial and bank details were impacted, some historical data belonging to customers prior to 2019 were accessed. This includes basic personal information, email and postal addresses, and driver’s license numbers.
“For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors,” the resort said in its filing. “The types of impacted information varied by individual.” Some resort systems are still being affected, however. “The company continues to focus on restoring the remaining impacted guest-facing systems, and the company anticipates that these systems will be restored in the coming days,” it said.
The ransomware attack occurred in early September 2023, with the ALPHV ransomware gang taking responsibility. MGM was forced to shut down many of its hotel and gambling systems, and confused reporting on the incident led to the threat actor releasing a lengthy, detailed statement on the background of the hack.Since then, the company is also facing a number of legal challenges. Five class actions have been launched against the company, alleging that MGM did not adequately disclose the breach and that customer data was not properly secured.
