FTC to drop MGM cyberattack probe as 2023 dispute nears resolution

The U.S. Federal Trade Commission (FTC) is set to withdraw its civil investigative demand (CID) against MGM Resorts International over the company’s handling of a September 2023 cyberattack that cost an estimated $100 million and disrupted resort operations for nine days.

The decision, communicated in a letter from FTC Chair Andrew Ferguson on Tuesday, follows a months-long legal battle between the regulator and MGM. The casino giant had filed a lawsuit in April, calling the FTC's demand for information a “dangerous overreach” and alleging that the agency had violated its due process rights.

The cyberattack severely impacted MGM’s operations, shutting down hundreds of slot machines, disabling credit card processing, and locking guests out of their rooms. The company was advised by federal investigators not to pay a ransom demanded by cybercriminals.

In July, British authorities arrested a teenager linked to the attack, who was reportedly associated with Scattered Spider, a cybercriminal group known for global ransomware attacks. The suspect was released on bond.

In January 2024, the FTC issued a CID requesting information across 100 categories, which MGM argued was overly broad and largely irrelevant to the cyberattack. After the company unsuccessfully sought an extension to respond, it sued the FTC in April, claiming the agency’s former chair, Lina Khan, had a conflict of interest because she was a guest at an MGM property during the cyberattack.

The FTC countered in June by filing its own lawsuit in Nevada, asserting that MGM should be considered a financial institution under lending regulations due to its use of gambling markers—interest-free credit lines extended to high rollers.

MGM has maintained that it cooperated fully with federal investigators and challenged the FTC’s authority over its business practices.

Following the cyberattack, MGM faced 15 consumer class action lawsuits, which it said were fueled by the publicity surrounding Khan’s experience at the resort. Two of those lawsuits reached a settlement in January for $45 million, with final court approval expected in June.

Under the settlement terms, affected customers will receive cash payments and identity protection. Customers whose Social Security or military ID numbers were exposed will receive $75, while those whose passport or driver’s license numbers were exposed will receive $50. All affected customers will also be eligible for identity theft protection and credit monitoring.

MGM Resorts said that the CID issued by the former FTC chair was a dangerous overreach and sought to punish the company for refusing to pay cybercriminals. The FTC’s lawsuit filing argued that the company qualifies as a financial institution subject to lending rules because it allows high-rollers to gamble with markers.  

In its defense, MGM reiterated that it fully cooperated with federal investigators who advised against paying the ransom. Regarding the class action settlements, MGM stated that it has agreed to a $45 million settlement, providing compensation and identity protection to affected customers.