MGM Resorts and Caesars Entertainment have both filed required disclosures of cyber incidents to the Security and Exchange Commission (SEC) following ransomware attacks on their casino empires.
The SEC passed new rules last March requiring publicly traded companies to report “material” cybersecurity incidents to the regulator within four days.
Caesars’ SEC filing, dated Sept. 14, acknowledges an unauthorized actor exfiltrated a copy of the company’s loyalty program database on Sept. 7, which included sensitive data like Social Security and drivers license numbers on a “significant” number of members.
Information provided by MGM Resorts is its own SEC report, dated Sept. 13, is more scarce. The hospitality company only reiterated its previous press release from Sept. 12 saying it has identified a “cybersecurity issue” and an investigation is ongoing.
Unlike MGM Resorts, which days later is still experiencing system outages, Caesars reported to the SEC, “Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.”
Caesars also seems to refer to reports of a ransom payment in it’s SEC disclosure:
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” Caesars said in its filing. “The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”
MGM declined to provide any additional details on the Sept. 10 cyberattack on its systems, however, those familiar with the incidents say the threat group Scattered Spider is behind both the MGM Resorts International system outages, as well as the Caesars breach just days before.
The SEC also declined to comment on the disclosure filings.