MGM Files Suit Against FTC Over Cyberattack Investigation

  • MGM filed the suit against the FTC and its Chair Lina Khan over its September cyberattack
  • An MGM guest during the attack, Khan was asked to write down her credit card details
  • MGM wants the court to halt the FTC probe and to either recuse or disqualify Khan
US District Court for the District of Columbia
MGM has filed a suit against federal agency FTC’s investigation into its September cyberattack. [Image: Shutterstock.com]

MGM takes a stand

MGM Resorts International has filed a lawsuit against the Federal Trade Commission (FTC) over its investigation of the casino giant’s September cyberattack. The operator filed the suit against the body and its Chairperson Lina Khan on Monday in the US District Court for the District of Columbia.

the investigation strips it of its “fundamental due process rights”

According to the Wall Street Journal, MGM is seeking an injunction against the FTC’s investigation into how it conducted itself over the 2023 cybersecurity attack that brought operations to a standstill. MGM stated the investigation strips it of its “fundamental due process rights” and that the court should either recuse or disqualify Khan from the case.

In addition, MGM alleges the FTC violated the business’ Fifth Amendment rights and “wrongfully applied rules meant for financial institutions” over the duration of the probe.

Processes questioned

The September cyberattack forced MGM to shut down ATM and slot machines plus other digital systems in multiple casinos to try suppress the hackers. CBS News research suggested this was the result of young, western hackers working with Russian entities.

Caesars Entertainment’s cybersecurity was also hacked at the same time. Unlike MGM who estimated the attack cost it $100m and $10m in lost revenue and recovery payments, respectively, Caesars opted to get the attackers off its back by ponying up $15m.

MGM’s actions also forced its employees to check-in guests via pen and paper. Khan was a guest at MGM during the cyberattack and, according to the suit, challenged an MGM desk clerk who had asked the FTC chair to write down her credit card details. The employee’s request prompted Khan to inquire how MGM was handling its data security during the cyberattack.

Following the September attack, MGM stated the data breach enabled the hackers to harvest a range of data that included the names, dates of birth, and even some of its customers’ Social Security numbers.

MGM on the front foot

Fifteen consumer class action suits have since been filed against MGM. The FTC Chair, MGM challenges, could potentially become a witness in these lawsuits, which is why it wants her recused. According to the WSJ, on January 25 the FTC filed a civil investigative demand against MGM in “a process that allows it to request information from companies without a court-issued subpoena.”

giving the casino operator just 11 days to submit documentation

MGM’s suit alleges the FTC demanded details on more than 100 different areas spanning many years while giving the casino operator just 11 days to submit documentation.

The FTC refused to accede to MGM’s petition that requested it recuse Khan on April 1, stating its rules don’t allow for recusal “except for cases of administrative litigation.”

MGM cited the Fifth in its suit, stating the FTC’s rules deprived it of due process rights and requested the Washington court declare them unconstitutional. MGM also directly challenged financial rules the FTC leveraged in its investigation linked to the operator’s arrangements with certain customers – namely, over MGM offering markers or checks that allow some of its customers to borrow casino chips.

Ultimately, MGM’s desired outcome is for the court to instruct the FTC to drop its information request or give it additional time to comply, while also permanently halting the agency’s cyberattack probe, and to either recuse or disqualify Khan.

Leave a Reply

Your email address will not be published. Required fields are marked *