The CEO of MGM Resorts International has slammed the hackers behind a $100 million attack that crippled its casinos as ‘corporate terrorism at its best’.
Bill Hornbuckle also insisted that the company had not paid ransomware hackers’ demands, after previously declining to comment.
‘You don’t wish this on anyone. It hit us by chance. It was partly socially engineered. And for the few weeks after our company it was devastating,’ Hornbuckle said in his first public comments on the hack on Tuesday.
The gaming giant was the target of a massive hacking operation last month, knocking its slot machines offline and even disabling digital locks across its hotel rooms.
MGM chose not to pay the cyber gang’s ransom request, but revealed that the move cost the casino giant an estimated $100 million.
MGM CEO Bill Hornbuckle has branded a $100m cyber attack ‘corporate terrorism at its finest’ and confirmed the company paid no ransom
Kiosks like this one at the Aria Resort and Casino were knocked out after MGM Resorts International suffered a cyber security attack last month
A Russia-linked ransomware gang called AlphV, known as BlackCat, previously claimed it was involved in the MGM breach.
The hospitality and entertainment company was left ‘completely in the dark’ following the September 10 hack.
Video from around the time of the attack at MGM properties on the Las Vegas Strip, including ARIA and Bellagio, showed huge long check-in lines and disabled slot machines.
Cybersecurity experts believe AlphV worked with an affiliated hacker group called Scattered Spider, made up mainly of young adults and teenagers in the UK and US, to carry out the breach.
Analysts tracking Scattered Spider say more and more organizations are falling for the group’s skilled social engineering schemes, which often involve phone calls to IT support desks posing as a company employee.
Hornbuckle confirmed the company believes hackers managed to obtain the data after infiltrating two of its call centers.
‘We have a call center which is for “my machine is broken,” and then we have a technical call centre, which is for the technical crew. That’s the layer that’s designed,’ Hornbuckle said.
‘And so how that process works going forward needs to be re-examined and it has been, is and will continue to be. That’s the key lesson.’
But he insisted that, unlike fellow sector giant Caesars Entertainment, which was also hit by a similar cyber attack, MGM chose not to pay any ransom.
Hotel guests at the Luxor Hotel and Casino in Las Vegas were still waiting in painfully long lines on September 14, four days after the cyber attack against MGM.
Bosses at Caesars reportedly paid $15 million to the same hackers linked to the MGM strike to avoid any disruption.
‘We didn’t pay ransom, not that it’s the defining moment in either of these things. I know people say don’t pay ransom. But the way it came at us and the speed at which it came at us, we reacted quickly,’ Hornbuckle said.
Hornbuckle also maintained that the breach did not extend to the customer’s credit car details.
‘We have protected data. We find ourselves fully functioning in this thing for a few weeks now. We have all our commercial systems back,’ he said.
Last week, it emerged that MGM’s projected losses from the attack would be about $100 million, money that Hornbuckle said would be covered under insurance.
Hornbuckle said 36,000 hotel rooms were left in the dark after the cyber attack last month that affected properties, including at the company’s flagship MGM Grand in Las Vegas (pictured)
As a result of the attack, functioning slot machines were cash only and set to manual payout, meaning winnings had to be physically distributed, while MGM was forced to provide food and drink vouchers to appease angry guests.
Despite Hornbuckle insisting the company ‘saw it early’, he admitted the strike had crippled operations.
‘With 36,000 hotel rooms and a few regional properties, we were completely in the dark. I mean, literally the phones, the casino system, the hotel system, the key system, and I could go on and on and on, were not functioning,’ he said.
The company has since returned to full functionality.
The FBI previously told DailyMail.com it was investigating the incidents at both Caesars and MGM, adding: ‘As this is an ongoing investigation, we are unable to provide any additional details.’