top of page
  • Writer's pictureEnterra

MGM Resorts Sues FTC Over Cyberattack Probe: Legal Battles and Cybersecurity Implications

MGM Resorts International recently filed a lawsuit against the Federal Trade Commission (FTC), challenging an investigative demand following a severe cyberattack in September. This legal action, undertaken in the U.S. District Court for the District of Columbia, seeks the recusal of FTC Chair Lina Khan, citing potential conflicts of interest and alleged misapplication of financial regulations.

The Cyberattacks Impact on MGM

The cyberattack had profound effects on MGM's operations, disabling systems such as slot machines and key access, and pushing staff to revert to manual procedures for guest check-ins. The attackers gained access by manipulating MGM’s tech support into resetting a compromised account's password, which led to significant data theft including customer names, birthdates, and Social Security numbers. The financial toll was staggering, with MGM estimating losses around $100 million in revenue and $10 million in recovery costs.

FTC's Response and MGM's Legal Challenges

In response to the attack, the FTC issued a civil investigative demand in January to examine MGM's data security measures. This broad probe, encompassing over 100 aspects of MGM’s operations, intensified the scrutiny on MGM's security protocols. MGM’s lawsuit argues that the application of certain FTC rules is inappropriate and that Khan's presence at an MGM property during the attack could bias her involvement. They contend that this situation violates their rights to due process.

Enterra's Perspective on Cybersecurity Maturity

Our analysis of the MGM incident reveals significant gaps in their cybersecurity practices, suggesting a surprising discrepancy in the maturity level one might expect from a $13 billion company. While it’s unlikely that MGM operates at the mere "Basic" level of cyber maturity, which involves only fundamental security measures, the severe impacts of their hack indicate substantial deficiencies in broader implementation and employee training. It appears that a lack of effective leadership and comprehensive implementation of advanced cybersecurity measures, such as sophisticated intrusion detection and multi-factor authentication beyond basic passwords and SMS, might be the true culprits behind their vulnerabilities.

How Enterra’s Technology Could Have Helped

Utilizing our cybersecurity technologies, such as Extended Detection and Response (XDR) and Security Orchestration, Automation, and Response (SOAR), could potentially have prevented such an extensive breach at MGM. XDR offers comprehensive detection capabilities across various data sources, while SOAR automates incident response, minimizing human errors and reducing response times. Additionally, implementing a Zero Trust architecture, endorsed by leading tech firms like Okta and Microsoft, provides rigorous access controls and continuous verification of credentials, crucial for safeguarding sensitive data and systems.

However, all of these proactive and adaptive cybersecurity integrations can be rendered insufficient without serious commitment to proper training and thorough implementation. It’s vital that these technologies are not only adopted but are also fully understood and correctly applied by all relevant personnel to effectively secure the network.

Where MGM Fell Short in Defensive Technology

MGM’s reliance on potentially compromised verification methods, like SMS, highlights a significant gap in their defensive strategy. This gap possibly placed them at a lower tier in Enterra's Cybersecurity Maturity Model, which advocates for more sophisticated security measures as organizations evolve towards the "Adaptive" stage, where defenses dynamically adjust to new and emerging threats.

As MGM seeks judicial relief to halt the FTC’s investigation pending the outcome concerning Chair Khan’s involvement, it is imperative for organizations to continuously evaluate and enhance their cybersecurity frameworks. At Enterra, we believe in advancing through the stages of cybersecurity maturity, not just to comply with regulatory demands but to genuinely safeguard against the ever-evolving landscape of cyber threats. This incident serves as a potent reminder of the vulnerabilities that exist and the continuous effort required to mitigate them.


bottom of page