FTC files lawsuit demanding MGM cooperation in cyberattack probe
The US Federal Trade Commission (FTC) has upped the ante in its legal battle with MGM Resorts International after filing a lawsuit demanding that the gambling group should cooperate with its probe into a 2023 cyberattack.
The FTCâs petition in the US District Court in Nevada seeks an order to force MGM Resorts to respond to its investigation into the September 2023 breach at the groupâs Las Vegas Strip properties.
The move comes just weeks after MGM submitted a lawsuit of its own in Washington DCâs Federal Court. In April, the group argued it does not have to comply with the FTCâs Civil Investigation Demand (CID) because it is not a financial institution.
The casino company also asked for FTC chair Lina Khan to recuse herself from the case since she was on site when the cyberattack in Las Vegas took place.
FTC refutes MGM claims
In its new Nevada filing, the FTC has argued that MGM Resorts comes under its purview as it is an institution that extends customers credit. It described MGMâs argument as âmeritlessâ.
âMGM may argue⊠that it is not the type of entity subject to the Safeguards Rule and Red Flags Rule (respectively, a âfinancial institutionâ or âcreditorâ) and therefore the CID is improper. That argument is meritless. In the first instance, MGMâs jurisdictional objection has no bearing on the CIDâs requests for information relevant to unfair or deceptive acts or practices violating Section 5 of the FTC Act and MGM cannot deny that it is subject to the FTC Act,â the filing read.
If the court rules in favour of the FTC, MGM will have 10 days to respond to the information requested in the CID.
The legal battle relates to the large-scale cyberattack launched against MGM in September last year. MGM was forced to shut down certain systems across its US properties due to the attack. Access to MGM hotel rooms and slot machines were affected by the attack.
Hacker group Scattered Spider claimed responsibility for the attack days after it took place. It said that it would launch further attacks on MGMâs infrastructure if MGM did not meet demands for payment.
Why was the MGM suit filed?
The April suit outlined that MGM is seeking âinjunctive and declaratory reliefâ against the FTC. MGM is claiming that actions carried out by the FTC and Khan have deprived MGM of its rights within the due process clause of the Fifth Amendment.
This clause stipulates that bodies subject to government action are granted a hearing in front of an unbiased tribunal. It also outlines guaranteed fair treatment under the law.
The suit cites media reports, which stated that Khan âand an unnamed senior aideâ were staying at one of MGMâs Las Vegas properties at the time of the cyber attack.
As the IT systems were down, according to a report from Bloomberg, a member of staff asked Khan and her staff to write down their credit card information on paper.
Khan then asked the employee how MGM was handling data security in wake of the attack. The employee reportedly said he didnât know.
The FTC investigation was launched following this exchange. The FTC issued a Civil Investigative Demand (CID) on 25 January 2024 to obtain a response to Khanâs question. According to the suit, the CID asks for information from more than 100 categories across periods that precede the attack.
The following month MGM estimated that the attack would damage its adjusted property EBITDAR for the third quarter by $100.0m (ÂŁ80.3m/âŹ94.1m). Despite this, it reported record revenue of $3.97bn in Q3. Presenting its Q3 results, CEO Bill Hornbuckle said MGM âwent to hell and backâ as a result of the attack.
Caesars describes cyberattacks as ânew normâ
Caesars was also hit by a cyberattack in September. The operator said that its loyalty programme database was breached as part of the attack.
Earlier this week, Nicole Solaita, SVP and chief audit executive at Caesars, told a KPMG webinar that cyber threats in the gaming industry are now âour new normâ.
Reflecting on the highly impactive cyber-attack on Caesars last September, Solaita told the audience: âUnfortunately Iâve realised that this is really going to be our new norm in this corporate space.Â
âEducation for the employees is so key in this space and training is clearly fundamental. But as much as you train and you try to be prepared, weâre seeing that some of these cyber events havenât been all that sophisticated,â she said.
