As of Tuesday morning, the MGM Resorts website was still offline, and an apology message with a list of phone numbers for guests to reach their specific hotel concierge desk was displayed.
Justin Heath, a guest at MGM Grand in Las Vegas, reported that visitors were unable to charge purchases to their rooms, the digital hotel room keys were not working, and restaurants were accepting only cash payments.
MGM Resorts announced that it is working with law enforcement and "took prompt action to protect our systems and data, including shutting down certain systems." An FBI spokesperson said that they are aware of the incident but declined to comment further.
MGM Resorts International manages several properties across the United States, including Aria, Bellagio, Cosmopolitan, Excalibur, Luxor, Mandalay Bay, MGM Grand Las Vegas, and New York-New York in Las Vegas. The company also has resort locations in China, Massachusetts, Michigan, Mississippi, Maryland, Ohio, New Jersey, and New York.
It is currently unclear whether the cybersecurity issue was conducted by threat actors seeking to exfiltrate sensitive information or to cause damage and disruption to MGM systems.
Casinos have been prime targets for both traditional cybercriminal enterprises as well as foreign governments.
In 2014, the Sands Las Vegas Corporation was the victim of a damaging cyberattack by the Iranian government, according to the US Director of National Intelligence.
In 2017, a North American casino was the target of data exfiltration by cybercriminals who compromised a fish tank connected to the company's internet connection.
