Reuters reported that MGM Resorts International filed a lawsuit in federal court on Monday, hoping to block the U.S. Federal Trade Commission from investigating the fallout from a September 2023 cyberattack that allowed “criminal actors” to obtain customer data.
MGM argues that it should not be subject to FTC rules governing consumer financial data because it is not a financial institution. The lawsuit also asserts that FTC Commissioner Lina Khan should recuse herself from the case because she was reportedly a guest at one of MGM’s Las Vegas properties during the attack, which makes her personally involved in the matter.
“As the most high-profile person involved in the events at issue — and the only such person widely identified by name in press reports — Chair Khan is both a potential civil plaintiff and a potential witness,” the lawsuit alleges.
The cyberattack allegedly inconvenienced Khan and an unnamed senior aide. The lawsuit cites press reports that claim since IT systems were unavailable to check Chair Khan into the hotel, an MGM employee asked her to write her credit card information on a piece of paper. The leader of a federal agency governing financial regulation, Khan inquired as to exactly how MGM was managing the data security around the situation.
Khan apparently did not get the response she desired that day, because the FTC launched a wide-reaching investigation on January 25 when it issued a Civil Investigative Demand (“CID”) seeking more than 100 categories of information from MGM.
MGM made attempts in February to quash the CID and also have Chair Khan either disqualified or recused, but the FTC issued a single order denying both petitions on April 1. The lawsuit also alleges that this order deprives MGM of its rights under the Fifth Amendment “in several respects.”
“The attack cost MGM dearly”
MGM's lawyers claim that “the aftershock of the cyberattack continues to reverberate months later” and that MGM is cooperating with the Federal Bureau of Investigation (FBI) to catch the perpetrators.
According to a Securities and Exchange Commission filing in October, the part-owner of BetMGM said the cyberattack will cost around $100 million in adjusted property earnings before interest, taxes, depreciation, amortization, and rent (EBITDAR). However, it will not have a material effect on its finances.
The online sportsbook was supposedly unaffected by the breach, but some BetMGM-branded sports betting kiosks at physical gaming properties did not come out unscathed. MGM also said in its SEC filing that it does not believe any customer passwords or banking information were compromised, and that there is no evidence the data obtained has been used for identity theft.