At press time on September 14, a cyberattack that led to the shutdown of internal networks at some of the biggest meeting hotels in Las Vegas, including MGM Grand Las Vegas, Mandalay Bay, and Bellagio, was into its fourth day.
The attack on MGM Resort’s 12 properties on the Las Vegas Strip and others across the country has created long lines at registration areas, where guests are reportedly being checked in manually, and impacted casinos and restaurants, currently accepting only cash. MGM’s corporate website, email, restaurant reservations, and hotel-booking systems all remain down. Digital hotel room keys are not working, and guests cannot charge purchases to their rooms, according to reports from CNN and elsewhere.
Among the meetings taking place at MGM properties during the systems outage are the September 10-14 IBM TechXchange, with more than 5,000 attendees at the MGM Grand; GroceryShow 2023, expecting about 4,000 attendees from September 14 to 22 at the Mandalay Bay Resort and Convention Center; and HOTMA Summit, a September 13-14 training seminar at Luxor. Meeting organizers for these events could not be reached for comment by press time.
A September 14 message on X (formerly Twitter) from MGM praised the work of the company’s employees and the support of its customers. (below) However, the company has provided no indication when the issue will be resolved or if personal guest information has been stolen, even as it faces financial pressures: According to CNBC, “the major credit rating agency Moody’s warned that the cyberattack could negatively affect MGM’s credit rating, saying the attack highlighted ‘key risks’ within the company.”
MGM is not alone in the fight against cyber criminals preying on hotels and casinos. In fact, Caesars Entertainment reported to the Securities and Exchange Commission this week that driver’s licenses and Social Security numbers “for a significant number of members” of the Caesars Rewards program were recently copied by an “unauthorized actor,” according to an article in the Las Vegas Review, which also noted that Caesars paid millions in ransom as a result of the cyberattack. Its hotels, however, did not shut down their networks.
Coincidentally, a new SEC regulation went into effect on September 5 that requires publicly held companies to report within four business days any cyberattacks that could have a “material impact” on a company’s finances. This includes cyberattacks that affect the systems and platforms used for meeting registration and other event elements.
What to Do?
With cyberattacks on the rise, do meeting professionals need new strategies in their risk-management plans or event contracts to deal with the possible consequences of a system shutdown like MGM is experiencing?
Meeting industry attorney Joshua Grimes, Esq., says that a hotel's quality obligations, such as a reasonable check-in wait time, clean rooms, Internet connectivity, room keys and payment systems that operate properly, and so on, are implied in every contract. However, he says that “it’s preferable for a contract to specifically include written quality assurances to avoid ambiguity.”
“A hotel might argue that [a cyberattack] is out of its control, and possibly a force-majeure occurrence,” says Grimes. “But a hacking incident certainly ought to be anticipated and protected against in today's world, so arguably it's not an unforeseeable occurrence, and possibly not outside the hotel's control.”
That said, Grimes has never experienced a claim of force majeure from a cyberattack. “Generally, the hotel performs as best it can under the circumstances, and the group and its attendees cope with the situation. I'm not aware of any material disagreements over a hotel's response to cyberattack going to dispute resolution.”