The Federal Trade Commission has abruptly ended its 14-month battle with MGM Resorts over a devastating ransomware attack. New FTC Chair Andrew Ferguson withdrew the Civil Investigative Demand issued to MGM in January 2024, officially closing an investigation that had turned into a heated legal showdown between the casino giant and federal regulators.
The drama began after a September 2023 cyberattack by the hacking group Scattered Spider crippled MGM’s operations. Slot machines froze. Digital key cards failed. ATMs went dark. The attack cost MGM an estimated $100 million in losses. Ouch.
When the FTC came knocking in January 2024, they weren’t playing around. Then-Chair Lina Khan’s team demanded information across 100 categories, treating MGM as a “financial institution” due to its gambling markers. MGM refused to roll the dice on compliance.
By April, MGM had filed suit against the FTC, calling the investigation “dangerous overreach” and requesting Khan’s recusal. The case echoes the FTC’s earlier dark patterns investigations, which targeted practices undermining consumer privacy. The FTC doubled down in June, filing its own lawsuit to force MGM’s cooperation. They pointed to a previous 2019 data breach as evidence of a troubling pattern.
Federal investigators had advised MGM not to pay the ransom demands, a decision that likely extended the operational disruptions but aligned with growing government resistance to funding cybercriminals.
The sudden resolution leaves important questions hanging. Can the FTC regulate cybersecurity practices of non-financial companies? Should companies pay ransoms? The answers remain fuzzy.
For the corporate world, MGM’s successful challenge creates an interesting precedent. Companies might now feel emboldened to push back against broad information requests from regulators.
The MGM saga highlights the wild west nature of cybersecurity regulation. Without clear frameworks, companies and regulators are making it up as they go. Not exactly reassuring for consumers whose personal data hangs in the balance. A robust incident response plan could have potentially reduced MGM’s recovery time from months to just a week, saving millions in operational losses. Meanwhile, MGM has already settled 15 consumer class action lawsuits related to the incident, with $45 million awaiting final court approval.
But hey, at least MGM can get back to taking people’s money the old-fashioned way – at the blackjack table.
