Following MGM's lawsuit against FTC

FTC petitions court to compel MGM Resorts to respond to cyberattack investigation

Reading time 1:58 min

The Federal Trade Commission (FTC) has petitioned the U.S. District Court in Nevada to compel MGM Resorts International to respond to a demand for information about the September cyberattack on the company.

The FTC's petition highlights the need to investigate MGM's data security practices, noting that the company has had multiple data breaches since 2019, including one in September 2023 and another in February 2019, Las Vegas Review-Journal said.

The petition requests that MGM comply with the Civil Investigative Demand (CID) within 10 days of the court order.

“Judicial enforcement is necessary so that FTC staff may thoroughly and expeditiously conduct its investigation. The FTC respectfully asks this court to issue an order requiring MGM to appear and show cause why it should not comply with the CID and thereafter grant the FTC’s petition and enter an order compelling MGM to produce the documents and information specified in the CID,” the FTC petition reads, as per the report.

This legal action follows MGM's lawsuit against the FTC and its chairwoman, Lina Khan, filed in April in the District of Columbia District Court. MGM seeks to disqualify Khan from the investigation, citing her stay at the MGM Grand during the cyberattack, which resulted in a $100 million loss for the company.

MGM also challenges the constitutionality of the FTC's Rules of Practice regarding Petitions to Recuse Commissioners and seeks exemption from the "Red Flag Rule" and the "Safeguards Rule," the report said.

The "Red Flag Rule" mandates that companies develop an identity theft prevention program, while the "Safeguards Rule" requires the implementation of an information security program. The FTC considers MGM subject to these rules because it issues "markers" to high-rolling gamblers, akin to a credit tab.

MGM's lawsuit also requests a reasonable deadline for responding to the CID if the FTC's investigation continues. The company had previously sought a deadline extension, citing the extensive nature of the information requested, which covers over 100 categories spanning multiple years. MGM argues much of the information is irrelevant to the cyberattack.

“We’ve worked with federal law enforcement from the outset and followed the government’s guidance by refusing to pay a ransom and reward criminals for their horrendous actions,” the report cited an MGM spokesman. “The idea that the government would threaten and punish victims for doing so sends a dangerous message that emboldens criminals and threatens national security. Our suit against the FTC to protect our rights under due process is still pending.”

Filed on June 14, the lawsuit seeks reimbursement of court costs and other damages identified by the court.

The cyberattack in September involved hackers believed to be an international group with domestic ties, who sought a ransom. Following federal investigators' advice, MGM refused to pay. The attack disrupted hundreds of slot machines, smartphone room access, and credit-card payment systems, requiring manual processing.

Khan and an aide, who were guests at MGM during the attack, reportedly questioned the company's procedures. On January 25, the FTC issued its CID.

Leave your comment
Subscribe to our newsletter
Enter your email to receive the latest news
By entering your email address, you agree to Yogonet's Condiciones de uso and Privacy Policies. You understand Yogonet may use your address to send updates and marketing emails. Use the Unsubscribe link in those emails to opt out at any time.