The MGM Hack: When the House Lost Big

A $100 Million Cybersecurity Cautionary Tale

The Setup

• September 11, 2023: MGM Resorts, a Las Vegas casino giant, detected unusual activity in their computer systems
• Within hours, slot machines went dark, hotel keys stopped working, and restaurants could only accept cash
• The culprit? A social engineering attack that began with a simple phone call

The Hand They Were Dealt

• Attackers posed as an employee, called MGM’s IT help desk
• Using publicly available information, they convinced the help desk to reset login credentials
• This single point of compromise cascaded into a system-wide shutdown

Financial Impact Breakdown

1. Direct Costs:
   • Estimated $100 million in negative impact
   • $10 million in one-time expenses
   • Significant losses during 10 days of disrupted operations
2. Indirect Costs:
   • 27.8 million shares traded in the first two days
   • Stock price dropped 3.3% within 24 hours
   • Ongoing reputational damage

Relevance to Valuation Professionals

1. Valuation Impact:
   • MGM’s market cap decreased by over $1 billion
   • Cybersecurity incidents now directly affect company valuations
   • Insurance costs likely to rise, affecting future cash flows
2. Due Diligence Lessons:
   • Importance of assessing cybersecurity in valuation processes
   • Social engineering vulnerabilities can override technical safeguards
   • Employee training is as crucial as technical controls
3. Financial Reporting Implications:
   • Cyber incidents require immediate SEC disclosure
   • Balance sheet impacts through contingent liabilities
   • Potential impairment of intangible assets

Key Takeaways for Your Practice

1. Personal Connection:
   • Social engineering targets individuals, not just systems
   • Every employee is a potential entry point
   • Personal cybersecurity awareness is critical
2. Client Advisory Opportunities:
   • Incorporate cybersecurity assessment in valuation models
   • Consider cyber resilience in risk assessments
   • Advise clients on cyber incident response planning

Powerful Statistics to Use

• A single phone call led to $100 million in losses
• 10 days of disrupted operations across 19 properties
• 3.3% stock drop within 24 hours
• Over $1 billion in market capitalization impact

Vegas-Themed Closing Hook

“What happens in Vegas doesn’t always stay in Vegas—sometimes it ripples through the entire financial market. The MGM hack shows us that in cybersecurity, like in gambling, the house doesn’t always win—especially when they forget the fundamentals of security.”