FTC files petition calling for MGM Resorts cyberattack information

The US Federal Trade Commission (FTC) has filed a petition with the Nevada District Court calling for MGM Resorts to comply with its investigation and hand over relevant information relating to last September’s cyberattack on the firm.

The FTC is seeking to investigate the September 2023 cyberattack, which saw both MGM and Caesars breached, causing significant damage financially.

For MGM, the attack cost $100m in its Q3 2023 adjusted property EBITDA at its Las Vegas resorts.

In an April court filing, MGM attempted to block the FTC’s investigation and argued it did not have to comply with the civil investigation demand (CID), issued to the operator in January, as the company is not a financial institution.

MGM added also requested that FTC chair Lina Khan be removed from the case due to her being on the grounds as a guest at a Las Vegas resort when the attack took place.

However, the FTC is now demanding the operator be investigated and, if the court rules in its favor, MGM must respond to the CID within 10 days from when it is issued.

“Judicial enforcement is necessary so that FTC staff may thoroughly and expeditiously conduct its investigation,” the FTC stated in its petition. “As set forth below, the FTC has met all of the requirements for judicial enforcement of the CID.

“Therefore, the FTC respectfully asks this court to issue an order requiring MGM to appear and show cause why it should not comply with the CID and thereafter grant the FTC’s petition and enter an order compelling MGM to produce the documents and information specified in the CID.”

The petition added that MGM had “no valid basis” for refusing to comply with the CID.

Furthermore, FTC’s petition argued that MGM is subject to a CID because it is able to extend customers’ lines of credit for gambling purposes.

The petition added: “MGM may argue that it is not the type of entity subject to the Safeguards Rule and Red Flags Rule (respectively, a “financial institution” or “creditor”) and therefore the CID is improper.

“That argument is meritless. In the first instance, MGM’s jurisdictional objection has no bearing on the CID’s requests for information relevant to unfair or deceptive acts or practices violating Section 5 of the FTC Act, and MGM cannot deny that it is subject to the FTC Act.

“Even though the court need not make this determination now, MGM is likely subject to the rules because it extends credit instruments called ‘markers’ to customers to permit them to gamble on credit.”

In comments reported by newspaper the Las Vegas Review-Journal, a MGM spokesperson said: “We’ve worked with federal law enforcement from the outset and followed the government’s guidance by refusing to pay a ransom and reward criminals for their horrendous actions.

“The idea that the government would threaten and punish victims for doing so sends a dangerous message that emboldens criminals and threatens national security. Our suit against the FTC to protect our rights under due process is still pending.”

In the aftermath of the cyberattack, EGR analyzed cybersecurity in the industry and how it was evolving as attacks on gambling firms increase.