MGM Resorts International Inc. reportedly refused to pay a ransom that hackers demanded following a cyberattack against its properties last month.

The Wall Street Journal reported the decision late Thursday. The same day, MGM Resorts submitted a regulatory filing that revealed new details about the breach. The company disclosed that the hackers stole some customers’ personal information data and added the breach will cost it about $100 million. 

MGM Resorts is a major casino and hotel operator that maintains properties in more than a half-dozen locations around the world, including Las Vegas. It also provides online betting applications. During its most recent fiscal year, the company generated more than $13 billion in revenue. 

The company experienced a high-profile cyberattack in September that caused disruptions at several of its properties. Slot machines, ATMs and other systems at the company’s resorts experienced lengthy outages following the breach. Employees reportedly had to check in guests using pen and paper.

A person familiar with the incident told the Wall Street Journal that the hackers demanded a ransom from MGM Resorts. After a ransomware attack, cybercriminals often demand a ransom and threaten to release stolen data publicly or disable compromised systems if it’s not paid. The Journal’s source said that MGM Resorts refused to pay.

In its Thursday regulatory filing, the company disclosed that the hackers obtained personal information belonging to “some” customers who had used its services before March 2019. The compromised data included customers’ contact information, gender, dates of birth and driver’s license numbers. The hackers also obtained a “limited” number of Social Security and passport numbers.

MGM Resorts didn’t specify exactly how many customers are affected. However, it did disclose that no bank account numbers or payment card information was compromised. The hackers likewise didn’t access data from the company’s Cosmopolitan of Las Vegas resort. 

The resort firm estimates that the incident will make a $100 million dent in its adjusted property earnings before interest, taxes, depreciation and amortization. The expenses involved in remediating the breach accounted for less than a 10th of that sum. MGM Resorts’ filing detailed that it spent under $10 million on “remedial technology consulting, legal and advisory services.”

The company estimates that its cybersecurity insurance will cover the expense. However, it cautioned that the “full scope of the costs and related impacts of this issue has not been determined.”

The incident led to reduced occupancy at MGM Resorts’ Las Vegas properties. According to the company’s filing, occupancy reached 88% in September compared with 93% a year earlier. MGM Resorts expects to fare better this month: Its internal forecasts suggest occupancy levels in October will reach 93%, which would represent a decline of only 1% from last year. 

Financially, the company expects to have a strong fourth quarter thanks to a Formula One event scheduled to take in Las Vegas next month. MGM Resorts doesn’t expect the breach to “have a material effect on its financial condition and results of operations for the year.” 

Photo: Zereshk/Wikimedia Commons