FTC Investigating Whether MGM Resorts Responded Appropriately to Cyberattack

Article by : Erik Gibbs Apr 16, 2024

• 
• 

The aftermath of the 2023 cybersecurity breach at MGM Resorts International continues to unfold, with the Federal Trade Commission (FTC) now delving into the company’s response to the incident.

This latest development signals that the repercussions of the cyber-attack are far from over for the Las Vegas-based gaming giant.

In January, the FTC initiated an investigation by issuing a Civil Investigative Demand (CID) to MGM, requesting a vast array of data and documents related to the breach. Surprisingly, the CID also encompassed information unrelated to the cyber-attack, spanning multiple years.

In response, MGM filed a motion in February to challenge the validity of the CID. One key point of contention was the FTC’s unprecedented attempt to apply regulations such as the Safe Guards Rule and the Red Flags Rule, which do not apply to MGM’s operations.

Despite efforts to resolve these issues informally, negotiations with the FTC proved unsuccessful. Consequently, MGM opted to file a Petition to Quash or Limit, as outlined in the company’s legal filings.

This ongoing legal saga underscores the complexities surrounding MGM’s handling of the cyber attack and its interactions with regulatory authorities.

In its filing to quash the CID, MGM vehemently asserted its status as a victim of a crime, expressing a profound and legitimate interest in ensuring the apprehension of the alleged perpetrators.

The company emphasized its unwavering cooperation with law enforcement agencies, underscoring its commitment to aiding ongoing criminal investigations.

According to legal documents, during discussions held on February 6, 2024, MGM revealed that the FTC staff urged the prioritization of information provision to law enforcement. Simultaneously, they requested swift submission of any data previously shared with the Federal Bureau of Investigation (FBI).

Furthermore, the filing argued for the quashing of the FTC staff’s request for this material, particularly emphasizing the need to withhold it until the conclusion of relevant prosecutions.

MGM’s stance reflects its dedication to safeguarding the integrity of ongoing criminal inquiries while navigating the complexities of regulatory scrutiny.

In September, FTC Chairwoman Lina Khan and her team visited the MGM Grand, where they had to manually provide credit card information during check-in. Khan’s subsequent inquiry about data protection practices hinted at concerns about MGM’s security measures.

Although this incident likely didn’t directly prompt the FTC’s investigation into MGM’s response to the cyber-attack, it raised questions about the company’s data security protocols.

MGM contests that the FTC’s use of safeguard and red flag rules exceeds its authority. However, the FTC could leverage MGM’s history of lax cybersecurity practices in its inquiry.