MGM Resorts CEO: Las Vegas cyberattack an act of “corporate terrorism”

MGM Resorts International CEO Bill Hornbuckle has labelled the recent cyberattack against the casino operator’s land-based Las Vegas and regional casino business an act of “corporate terrorism”.

Hornbuckle was speaking as part of the keynote CEO panel at the G2E Las Vegas convention yesterday (October 10), a session in which he was grilled for details about the attack which hit MGM’s resorts empire on September 10.

“It’s corporate terrorism at its finest, you don’t wish this on anybody. It just happened to hit us for a couple of weeks, and to our company, it was devastating,” the MGM CEO explained.

“However, we saw it early, we had good indicators on the ground.

“By day two, we knew they were there, we reacted quickly to protect data and so we began shutting down systems, and before too long the criminals understood what was happening and shut down the rest of their operations.

Hornbuckle continued: “We found ourselves in an environment where for the next four or five days, we were completely in the dark.

“The telephones, the casino system, the hotel system, the key system, I can go on and on and on, were not functioning and so this put the company to the test,” he added.

The cyberattack on MGM Resorts lasted for nearly two weeks, but the firm returned to full operations on September 21. Last week, the company admitted the attack would cost them $100m in an adjusted EBITDA hit over forthcoming quarters, despite MGM being covered by a $100m cyber-insurance policy.

Independent of the financial implications of the breach, Hornbuckle was keen to stress the firm is learning the lessons from the attack.

“It was an interesting cultural moment for the company to come together,” Hornbuckle explained.

“I think you saw where we bonded quickly. We are now three weeks into this thing and it is behind us, but there is always a threat in the background, and these threats will continue.

“What we do going forward in terms of architecting the system, how we think about social engineering, how we think about processes, obviously needs to get better,” he added.

Hornbuckle would later confirm that MGM Resorts did not pay a ransom to the hacker group for the return or deletion of customers’ personal data.

Revealing the rationale behind the decision, he said: “ [The hack] happened so quickly. We were already in defense mode, we were playing whack-a-mole. Then it almost became a tactical decision.

“So, there was a decision that we shouldn’t be paying a ransom, it was going to take us a long time to figure it out anyway, even if they [the hackers] gave us decryption keys, so let’s just move forward and get through this and to a much different place than we would if we had paid,” he added.

Reflecting on the decision, the MGM CEO continued: “We’re proud of what we did. We did not pay the ransom, not that that is the defining moment of this crisis, but the way this came at us, our reaction, our protection of data, and to find ourselves a couple of weeks in fully functioning again, with all our commercial systems back, is great.”