MGM Resorts, the casino and hotel operator, posted on social media on Monday, stating that in response to “cybersecurity issues,” the company had shut down several of its computer systems, including its website.
The initial shutdown affected nearly every aspect of the casino operator’s business. Reservation systems, booking processes, hotel electronic key card systems, and casino floors were all clearly impacted by the outage.
In response to the cybersecurity issues, the company had also taken down its email systems, and they had not yet come back online as of now.
MGM Resorts mentioned that by Monday evening, their casino floors had come back online. However, reservation systems, which power thousands of hotel rooms, and booking systems controlling reservations for their restaurants, remain offline even more than a day after the incident was first reported.
MGM Resorts operates thousands of hotel rooms in Las Vegas and across the United States. According to SEC filings, the revenue generated from their hotel rooms in Las Vegas for the ending quarter on June 30 was $706.7 million, while the revenue from their casino operations during the same period was $492.2 million.
In a post, MGM, formerly known as MGM Resorts, stated, “We immediately initiated an investigation with the help of leading external cybersecurity experts. We also notified law enforcement and are taking swift action to secure our systems and data, including temporarily shutting down certain systems.”
The FBI confirmed it was aware of the “ongoing” incident but did not provide further details.
On Monday, MGM’s shares closed nearly 2.4% lower.
MGM Resorts has changed its website to a landing page with advice to contact their hotels or casinos directly via phone. It wasn’t immediately clear when the outage began, although some users on social media reported that MGM’s systems went down on Sunday night.
This is not the first time the company has faced cybersecurity incidents. In 2020, personal information of more than 10 million MGM guests was published on a hacking forum. The company said at the time that the information had been leaked during the summer of 2019.
Beyond FBI involvement, the scope of the government’s response wasn’t immediately clear. The government identified the “commercial facility sector” as a critical infrastructure foundation in 2003, which includes gaming and lodging.
The Department of Homeland Security warned in 2015 that “a significant communications failure or deliberate cyber attack could impact payment and fundamental operations to a substantial extent, compromise customer and company data privacy, threaten company integrity and reputation, and impose significant legal and financial burdens.”