MGM Resorts pushes back against FTC's extensive data request in cyberattack investigation

MGM Resorts International is challenging a Federal Trade Commission (FTC) request for information regarding last fall's cyberattack, asserting that the demand is excessive and runs counter to the company's collaboration with federal law enforcement agencies.

The Las Vegas-based casino giant, which serves as the state's largest employer, filed a petition on February 20 to quash or limit the FTC's "civil investigative demand" (CID), Las Vegas Review-Journal reported.

MGM argues that the FTC's request for hundreds of pages of data is irrelevant to the case and could potentially hamper the FBI's investigation into the perpetrators responsible for the cyberattack. The attack, which occurred on September 10, disrupted MGM's computer systems for a nine-day period, impacting operations at all its properties nationwide and causing inconvenience to thousands of guests.

Complicating the matter are reports suggesting that FTC Chairwoman Lina Khan and an unidentified senior aide were present at the MGM Grand Hotel in Las Vegas during the time of the cyberattack. Khan's check-in experience at the hotel was reportedly affected by the attack, with the aide disclosing to media outlets the need to manually record credit card numbers during check-in, the report said.

“We’ve worked closely with federal law enforcement since the beginning of our cyber incident and, consistent with their guidance, refused to pay a ransom to the international criminal actors who perpetrated this act. We are extremely disappointed to now be the subject of this FTC investigation, which may not have occurred if we had taken the easy road and paid the ransom,” the company said in an emailed statement, as per Review-Journal.

In its petition to the FTC, MGM outlines several grounds for seeking to quash the request. The company says the FTC is calling for the production of "more than 100 different categories of information," and that it "spans multiple years with no relevance to the attack."

The FTC initially sought extensive documentation and information from MGM on January 25. MGM met with the FTC on Feb. 6 and asked for a deadline extension to meet its information request, which the FTC refused. On Feb. 13, MGM sent a detailed letter regarding the FTC request and a week later issued its formal petition to quash.

While the FTC did not project how long it could take to consider MGM’s petition, other cases involving requests to quash a CID have taken months to resolve. MGM also could potentially appeal the decision in court.