MGM wants FTC investigation in cybersecurity incident dropped

MGM Resorts International announced on Monday that the entertainment and gaming giant is suing the US Federal Trade Commission in an attempt to block the latter’s investigation into the company. The FTC is looking into MGM following a data security incident which temporarily stopped operations at the casino in 2023 and highlighted the increased need for a better understanding of cybersecurity risks in the industry.

In its filing with the federal court in Washington, MGM seeks to stop the FTC from obtaining certain information requested by the regulator. The refusal, MGM argues, is based on several facts. First, MGM is not a financial institution and it’s therefore outside of FTC purview when it comes to regulation.

In other words, MGM is not bound by the consumer financial data rules set out by the FTC, and the casino also believes that there is a conflict of interests. FTC Commissioner Lina Khan was staying at an MGM hotel when the attack happened. Khan should recuse herself, MGM insisted, as it poses a conflict of interest not to do so.

The pushback against the FTC is just one of the legal challenges that have cropped out from last year’s attack on MGM’s digital infrastructure. The company is also bogged down in 15 class-action lawsuits by irate consumers.

Furthermore, the company has already acknowledged that the attack had cost it tens of millions of dollars, with further settlements down the road to potentially cost it more. The attack was perpetrated by a group known as Scattered Spider who specialize in mostly social engineering attacks.

However, in this instance, the group used both social engineering and ransomware to lock up MGM’s data. This led to a "limited" leak of consumers’ social security numbers and other personal details, MGM said. Scattered Spider could use this data to further act against individuals.

The group uses social engineering as a remarkably good strategy to gain access to personal information and data access. Social engineering is a hacking attack in which the malignant party impersonates someone who has influence over the victim to compel them to act rashly and without thinking every scenario through.

According to Bloomberg, the attack on MGM was successful precisely because of good social engineering. The hackers called MGM’s IT help desk and impersonated an employee, gaining access to core infrastructure. The attack itself raises the stakes for the casino industry which has been targeted with particular intensity by hacker groups.

Image credit: Unsplash.com