The stable of MGM properties, including a dozen of the most iconic hotels in Las Vegas, have been out of service for more than 24 hours due to an ongoing cybersecurity issue.
A cyberattack has breached the computer system at MGM Resorts, forcing the company to shut down operations at a dozen of the most iconic casino hotels in Las Vegas—including the Bellagio, Mandalay Bay and the Cosmopolitan—as well as another half-dozen MGM properties around the United States. The attack has left hotel guests locked out of their rooms and unable to use their digital key cards to charge goods and services.
Since Monday evening, the MGM website has been replaced by a splash page advising guests to contact the company directly via phone.
The company first detected the issue on Sunday evening. “We quickly began an investigation with assistance from leading external cybersecurity experts,” MGM reported Monday on X, the platform formerly known as Twitter. “We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”
“The FBI is aware of the incident, as this is still ongoing, we do not have any additional information to provide at this time,” Mark Neria, an FBI special agent in Las Vegas, told Forbes via email.
One of the world’s largest casino-hotel companies, MGM Resorts hauled in $14.1 billion in revenue last year. In Las Vegas alone, “MGM Resorts fills roughly 12 million room nights a year,” Jonathan Halkyard, the company’s CFO and treasurer said on a quarterly earnings call last month.
By late Monday evening, MGM’s casino floors were operational but the crucial reservation systems for hotel rooms and restaurant reservations remained down, clocking in more than 24 hours offline. MGM Resorts has not immediately responded to Forbes’ request for comment.
In its earning release for the quarter that ended on June 30, MGM reported a 96% occupancy rate for its Las Vegas Strip hotels. Those hotel rooms generated revenue of $707 million compared to casino revenue of $492 million over the same three-month period. Based on those figures, MGM’s Vegas Strip properties bring in roughly $8 million per day in hotel room revenue.
Cyberattacks on hotels are not uncommon. In 2018, Marriott revealed a massive breach that stole the data of a half billion customers. The past decade has seen high-volume data breaches at a slew of other major hotel brands, including Hyatt, Hilton, InterContinental, Sheraton, Westin, Starwood, Wyndham, Omni Hotels and Mandarin Oriental.
But these kinds of attacks typically involve stolen data and are often discovered after the fact. Rarely does one take out the company’s ability to operate.