MGM Resorts Cyberattack Stymies Slot Machines, Check-Ins

Keith Miller’s monthly visit to the Borgata casino in Atlantic City, New Jersey, was short-circuited by a cyberattack.

(Bloomberg) — Keith Miller’s monthly visit to the Borgata casino in Atlantic City, New Jersey, was short-circuited by a cyberattack.

He and his wife, Nanako Miller, were temporarily prevented from checking into a hotel room. And they found that cashing out of slot machines involved handwritten vouchers and long lines at the cashier’s window. Even paying for lunch was a struggle.

“They couldn’t take credit cards,” he said. “These are all First World problems, but it was a pretty frustrating morning.”

Miller’s annoyance stemmed from an online attack on MGM Resorts International, which disclosed the breach on Monday. The company said in a statement posted on social media that it took “prompt action to protect our systems and data, including shutting down certain systems.” A message on MGM’s website, which lists numbers for concierges at 19 hotels across the country, said the site “is currently unavailable.”

A spokesperson said the attack started Sunday night and affected properties companywide. Some slot machines were taken offline, and staff were operating in “manual mode,” the spokesperson said. 

In an emailed statement later Monday, the company stressed its casino gaming floors were “operational” but said it was working to resolve the outages.

The Las Vegas-based company said it has notified law enforcement and began an investigation with the help of external cybersecurity experts. The FBI in Las Vegas didn’t respond to an email seeking comment.

Shares of MGM Resorts fell 2.4% in New York on Monday.

It wasn’t immediately clear who was behind the attack, and many details of the breach weren’t known. 

A receptionist who answered the phone at Mandalay Bay, an MGM resort in Las Vegas that hosts the annual Black Hat cybersecurity conference, said guests had been unable to check in for a short time earlier in the day because the hotel couldn’t get into its system. They were now able to check in, said the employee, who declined to provide his name.

Several accounts on the social media platform X provided further details of the fallout from the attack, though the reports couldn’t immediately be substantiated.  

One, attributed to John Brennan at the handle @qpr01, said he was in the Borgata casino. “All computer systems are down. Slots will not accept tickets, and anyone trying to cash out is getting the Handpay message regardless of amount,” he said in his post on X.  

A receptionist who answered the phone at the Borgata confirmed his account, saying she was told when she got into work at 4 p.m. Monday that the office internet had gone down around four hours earlier. 

“The system is still down,” she said on Monday evening, adding that slot machines were only taking cash as a result. She said most guests were understanding but that “a couple are angry.”

Miller, who is from New York City, said the first clue that there was a problem happened on Sunday, when he and his wife used the MGM app for pre-check-in. Normally, he said, they would receive a digital key, but that didn’t happen, so they checked in manually when they arrived in Atlantic City.

The next day, Starbucks and other food establishments wouldn’t accept credit cards, and slot machines wouldn’t take pay vouchers, which they spit out to winners to play in other machines or cash out at the window, he said. Casino employees were handwriting vouchers at slot machines, creating long lines at the cashier’s window, he said.

Miller said they had checked in under his name on Sunday and went to switch to check in again on Monday under his wife’s name, but temporarily couldn’t because the systems were down. They finally got into their room about 4:30 p.m. and plan to stay three more nights.

“We haven’t seen any charges on our credit card yet,” he said. “I’m assuming we are going to be able to stay.”

MGM Resorts was the victim of a July 2019 data breach that exposed the personal information of as many as 10.6 million customers.

In 2014, Iran waged a cyberattack against Las Vegas Sands Corp., whose chief executive officer and majority owner at the time, Sheldon Adelson, had made comments a few months before suggesting he would get tough with Iran in negotiations over its nuclear program. 

The FBI has warned of the rise of threats against both physical and online casinos. Earlier this month, the FBI said a North Korean outfit known as Lazarus Group had hacked, an online casino and betting platform, stealing $41 million in virtual currency.

The Nevada Gaming Commission, which regulates the casino industry in the state, this year introduced new cybersecurity regulations that require casinos to evaluate hacking risks and protect information systems. The aim was to set forth the importance for gaming operators to take necessary steps to protect their information systems, the commission said.

Casinos must also inform the Nevada Gaming Control Board of a cyberattack no later than 72 hours of becoming aware of it.

–With assistance from Christopher Palmeri.

(Updates with MGM’s statement from the sixth paragraph)

More stories like this are available on

©2023 Bloomberg L.P.