MGM Resorts International has taken legal action against the Federal Trade Commission (FTC) to halt an investigation into its handling of a cybersecurity breach that occurred in the previous year.
The company argues that the investigation violates its fundamental due process rights and calls for FTC Chair Lina Khan to recuse herself from the case. This lawsuit was filed in a Washington federal court on Monday.
We asked the experts in US gambling legal questions from jackpotsounds.com about their vision of this situation. The outcome of this lawsuit could have significant ramifications for the casino industry, potentially influencing how regulatory bodies approach cybersecurity investigations and the rights of companies under investigation.
JacpotSounds.com encourages organizations to remain vigilant and proactive in their cybersecurity strategies, acknowledging the evolving nature of cyber threats and the need for adaptability.
Background of the Cybersecurity Incident
Reports indicate that FTC Chair Lina Khan was present at the MGM Grand on the Las Vegas strip during the cyberattack that led to a temporary shutdown of MGM Resorts International’s computer systems. Allegedly, during check-in, a front desk clerk requested Khan and her team to write down their credit card details on a piece of paper, prompting Khan to inquire about MGM’s data security measures in response to the incident.
The background of the cybersecurity incident at MGM Resorts International can be traced back to September 2023, when the company experienced a significant cyberattack that affected its operations across multiple properties, including Las Vegas, Mississippi, and Maryland.
The attack was reportedly carried out by two notorious cybercriminal groups, Scattered Spider and ALPHV, who claimed responsibility and stole at least six terabytes of data from MGM’s stored files.
The breach began when unauthorized actors impersonated an IT administrator and gained access credentials, allowing them to infiltrate MGM’s network on September 7, 2023.
Once inside, the cybercriminals locked down the network and demanded a ransom from MGM, which led to a 10-day shutdown of the company’s computer systems across its properties. During this period, consumers and resort guests were unable to use
- electronic room keycards,
- Wi-Fi,
- ATMs,
- electronic gaming devices, and
- other services.
The ransomware attack had a significant impact on MGM’s operations, causing widespread disruptions for customers and affecting various services, such as slot machines, hotel room access, and reservations.
The attack also compromised the personal information of MGM customers and MGM Rewards loyalty program members, including
- full names,
- dates of birth,
- addresses,
- email addresses,
- phone numbers,
- Social Security numbers,
- and/or driver’s license numbers.
The FBI is investigating the incident, and MGM Resorts International has offered free credit monitoring and identity protection services to affected guests.
The company has not disclosed specifics on the disruptions or when the issue began or was detected but stated that it had taken prompt action to protect its systems and data, including shutting down certain systems.
This cybersecurity incident at MGM Resorts International highlights the importance of implementing adequate cybersecurity protocols and the potential consequences of failing to do so.
The company’s alleged negligence in safeguarding consumers’ data has led to a class action lawsuit, further emphasizing the significance of this issue.
The incident also underscores the need for organizations to be prepared for potential cyber threats and have measures in place to respond effectively to minimize the impact on their operations and customers.
FTC Investigation and Company’s Response
Following the cybersecurity incident, the FTC initiated an investigation and, in January, requested MGM Resorts International to provide details on how it handled the situation.
The agency demanded over “100 categories of information” from the company, which MGM claims were based on regulations that do not apply to casino operators but rather to financial services companies.
Legal Dispute and FTC’s Response
The FTC has not yet commented on the lawsuit filed by MGM Resorts International. However, it is anticipated that the agency will contest the lawsuit. There have been previous attempts to disqualify Chair Khan from cases, with concerns typically raised about her potential bias rather than mere presence in a situation.
The legal dispute between MGM Resorts International and the FTC over the investigation of the 2023 cybersecurity incident at MGM has been ongoing since the company filed a lawsuit in the U.S. District Court for the District of Columbia on Monday, April 15, 2024.
MGM Resorts International is challenging the FTC’s investigation, alleging that it infringes upon the company’s Fifth Amendment rights and violates its due process and equal treatment under the law.
The lawsuit was initiated due to the FTC’s investigation into the cyberattack that disrupted MGM’s casino operations in September 2023.
The FTC’s probe is based on two financial services regulations that MGM Resorts International argues are inapplicable to the company, as it is not a financial institution and is not subject to the FTC’s rules concerning consumer financial data.
The investigation was reportedly initiated due to an incident involving FTC Chair Lina Khan, who was a guest at one of MGM’s properties in Las Vegas during the attack. During the outage, Khan was asked to write down her credit card information due to the unavailability of electronic systems. This led Khan to inquire about MGM’s data security measures during the incident, which a desk clerk was unable to confirm.
MGM Resorts International contends that the investigation is unconstitutional and a violation of its due process and equal treatment under the law.
The company argues that the FTC’s investigation is based on regulations that are inapplicable to the casino industry and applies exclusively to financial services companies.
In response to the lawsuit, the FTC has not yet provided a comment on the matter. However, the agency is expected to challenge the lawsuit, as there is a long history of efforts to get Khan disqualified from past cases, with concerns typically raised about her potential bias rather than mere presence.
MGM Resorts International had previously requested that Chair Khan recuse herself from the investigation due to her personal involvement in the incident. The company’s attorneys argued that Khan’s involvement could potentially compromise the investigation’s fairness, as she could be a civil plaintiff or witness in the case.
The legal dispute between MGM Resorts International and the FTC highlights the complexities surrounding cybersecurity incidents and regulatory investigations.
The outcome of this lawsuit will likely have implications for how regulatory bodies address cybersecurity issues in the future and the extent to which companies are held accountable for their data security practices.
Request for Recusal and Legal Implications
MGM Resorts International had previously requested that Chair Khan recuse herself from the investigation due to her involvement in the cyberattack incident. The company’s attorneys highlighted Khan’s significant role in the events under scrutiny, suggesting that she could potentially be a civil plaintiff or a witness in the case.
This legal battle between MGM Resorts International and the FTC underscores the complexities surrounding
- cybersecurity incidents,
- regulatory investigations, and
- the challenges faced by companies in managing data breaches effectively.
The outcome of this lawsuit will likely have implications for how regulatory bodies address cybersecurity issues in the future.
NIST Cybersecurity Framework and Legal Compliance
The NIST Cybersecurity Framework (NIST-CSF) emerges as a valuable resource for organizations, including casinos, to manage and mitigate cybersecurity risks effectively.
By adopting the NIST-CSF, companies can systematically assess their cybersecurity posture, identify vulnerabilities, and implement measures aligned with industry-recognized standards.
This proactive approach not only strengthens security defenses but also demonstrates a commitment to regulatory compliance, potentially mitigating legal consequences in the aftermath of a data breach.
