FTC Investigating MGM’s Response to 2023 Cyber Hack

The fallout from the cybersecurity breach incident that shook MGM Resorts International’s domestic operations in 2023 seems to be far from coming to an end.

Recently, the Federal Trade Commission (FTC) announced it was investigating the Las Vegas-based gaming giant’s response to the cyber attack.

Large Volume of Data Required Via a CID

In January, the FTC issued a Civil Investigative Demand (CID) to MGM, asking for a massive volume of data and documents connected to the incident, as well as different categories of information spanning several years with zero relevance to the cyber attack.

In February, MGM filed a motion to reject the CID as invalid.

However, one of the biggest issues with the CID was the unprecedented attempt by Staff to invoke the Safe Guards Rule and the Red Flags Rule, which are not applicable to MGM’s operations. 

Because of these arguments, and also because MGM’s attempts to informally fix these issues with Staff failed, MGM decided to file the Petition to Quash or Limit, according to the company’s legal filing.

In its CID-quashing filing, MGM argued it was the victim of a crime “with an intense and legitimate interest” in making sure that the alleged perpetrators are brought to justice.

The gambling company also explained that it has been fully cooperating with law enforcement and that the FTC’s CID request includes demands for criminal information that might jeopardize criminal investigations. 

As stated in the legal paper, “during the parties’ meet and confer on February 6, 2024, Staff requested that MGM prioritize the production of information” offered to law enforcement agencies while requesting they produce any information that MGM had previously provided to the Federal Bureau of Investigation as fast as possible. 

The same legal document argued that the Staff’s attempt to get the respective material should be quashed, “at least until the conclusion of the relevant prosecutions.”

Bad Luck for MGM

In September, while MGM was tackling the cyber attack incident, FTC’s chairwoman, Lina Khan, attempted to check into the MGM Grand together with more than 40 other staffers. 

According to news reports, Khan and the rest of the guests had to write down their credit card numbers on pieces of paper at the front desk. 

Reportedly, the incident led to a query by Khan to an MGM Grand staffer concerning the company’s approach to protecting customer data.

It is unlikely that the respective incident was the stimulus for the FTC’s investigation in MGM’s response to the hack incident. 

The gaming company asserts that the commission leveraging safeguard and red flag rules goes beyond its authority. 

However, the FTC could leverage MGM’s reputation for its loose cyber defenses before the hack against it.