MGM Resorts files lawsuit against FTC to prevent cyberattack probe

MGM Resorts International has filed a suit against the US Federal Trade Commission (FTC) to block its investigation into the impact of the large-scale cyberattack that crippled the operator last year. 

That hack, reportedly undertaken by the cyber-threat group ALPHV/BlackCat, saw customer reservations, on-site cash withdrawals and slot machines on casino floors rendered unusable at up to 30 of its properties. 

MGM later confirmed the attack had a negative impact of $100m on its Q3 2023 adjusted property EBITDA at its Las Vegas Strip resorts and regional casino divisions.

The suit, which is seeking injunctive and declaratory relief and includes the FTC and its chairwoman, Lina M. Khan, claims that the government agency has violated the due process clause of the Fifth Amendment which affords parties subject to government enforcement actions a fair hearing and equal treatment under law.

In the suit, MGM said that the FTC and its chair “have deprived, and continue to deprive, MGM of these fundamental rights”.

The four-count docket, filed in the US District Court in the District of Columbia, alleges that the FTC did not follow its conflict of interest guidelines. 

The suit aims to stop the agency from seeking a civil investigative demand (CID) to investigate the attack unless Khan disqualifies herself from the investigation. 

MGM said this is because Khan was checking into one of MGM Resorts’ properties in Las Vegas when the hack occurred, so she was personally involved in the issue and should recuse herself. 

When Khan checked into the hotel, a member of staff asked her to write her credit card information on a piece of paper, it is alleged. Khan asked how MGM was managing data security to keep customer information safe during the cyberattack, the suit claims.

According to a report from Bloomberg, the MGM staff member “shrugged and said he didn’t know”.

On 25 January 2024, the FTC issued a CID seeking a response to Khan’s answered questions relating to customer data security.

MGM has claimed that the FTC’s justification for the CID relates to two financial services regulations, the Safeguards Rule and the Red Flags Rules, that are “facially inapplicable to MGM”, with the FTC asking for “more than 100 categories of information” in relation to the cyberattack.

MGM said that the CID’s request closely followed Khan’s events in Las Vegas, with certain elements of the demand mirroring Khan’s personal experience.

The operator also stated that Khan and a senior aide’s presence at the hotel during the attack enhanced the case’s publicity and has led to MGM Resorts being the defendant in 15 consumer-class action lawsuits. 

In the following weeks, MGM held telephone conferences with the FTC’s LA office. On 20 February, the firm filed a petition to quash or modify the CID, alongside a petition to recuse Khan from the investigation.

The operator has claimed that Khan is both a “potential civil plaintiff and a potential witness” in the case.

In its petition to quash the probe, MGM challenged various aspects of the CID, including the application of the Safeguards Rule, the Red Flag Rule and the “sweeping overbreadth and requirement” to provide information unrelated to the cyberattack.

On 1 April, the FTC denied both of MGM’s petitions, which the operator said “unlawfully deprives” the group of its Fifth Amendment rights. 

The CID further stated that the FTC would deny MGM’s petition “even if it were properly filed” because it believed Khan’s involvement in the event was not “legally significant”.

MGM Resorts said: “Chair Khan’s refusal to recuse, and the Commission’s refusal to disqualify her, despite her personal involvement in the subject matter of the investigation, flies in the face of applicable case law and deprives MGM of its rights under the Fifth Amendment.”

The operator added that Khan’s “personal involvement in the facts under investigation create an appearance of a conflict of interest, and upon information and belief, an actual conflict of interest”.

In fact, MGM went as far to argue the CID was “clearly the result of Chair Khan’s experience at one of MGM’s Las Vegas properties”.

MGM was then given an 11-day deadline to compile the requested data. The operator said the deadline was “plainly unreasonable” and denied the firm due process. 

MGM also argued that it has not been subject to the Safeguards or Red Flag Rules now or ever because it is not a financial institution and does not extend credit to its customers. 

The operator said it was not constitutional for the agency to rely on a “catch-all” assertion of authority. 

In its request the court, MGM has asked that judges enjoin the FTC and Khan from enforcing the CID and conducting any investigation into the operator in relation to the cyberattack.

The filing also requests MGM is declared not subject to the Safeguards Rules and Red Flags Rule, while also asking to rescind the CID, or alternatively, extend the “impossibly short” 11-day deadline.