MGM files suit against FTC to block cyber attack investigation

MGM filed the suit yesterday (15 April) in Washington’s federal court against both the FTC and Lina M Khan as FTC chair.

The suit refers to the large-scale cyber attack launched against MGM in September last year. MGM was forced to shut down certain systems across its US properties due to the attack. Access to MGM hotel rooms and slot machines were affected by the attack.

Hacker group Scattered Spider claimed responsibility for the attack days after it took place. It said that it would launch further attacks on MGM’s infrastructure if MGM did not meet demands for payment.

Why was the suit filed?

The suit outlines that MGM is seeking “injunctive and declaratory relief” against the FTC. MGM is claiming that actions carried out by the FTC and Khan have deprived MGM of its rights within the due process clause of the Fifth Amendment.

This clause stipulates that bodies subject to government action are granted a hearing in front of an unbiased tribunal. It also outlines guaranteed fair treatment under the law.

The suit cites media reports, which stated that Lina Khan “and an unnamed senior aide” were staying at one of MGM’s Las Vegas properties at the time of the cyber attack. As the IT systems were down, according to a report from Bloomberg, a member of staff asked Khan and her staff to write down their credit card information on paper.

Khan then asked the employee how MGM was handling data security in wake of the attack. The employee reportedly said he didn’t know.

The FTC investigation was launched following this exchange. The FTC issued a Civil Investigative Demand (CID) on 25 January 2024 to obtain a response to Khan’s question. According to the suit, the CID asks for information from more than 100 categories across periods that precede the attack.

The following month MGM estimated that the attack would damage its adjusted property EBITDAR for the third quarter by $100.0m (£80.3m/€94.1m). Despite this, it reported record revenue of $3.97bn in Q3. Presenting its Q3 results, CEO Bill Hornbuckle said MGM “went to hell and back” as a result of the attack.

Caesars was also hit by a cyber attack in September. The operator said that its loyalty programme database was breached as part of the attack.

Movement to quash Civil Investigative Demand (CID) and recuse Khan

MGM applied to quash or modify the CID on 20 February 2024. The operator claimed that the CID had a “reliance on inapplicable financial services rules”. MGM says the CID was issued to check its compliance with two rules in particular – the Safeguards rule and the Red Flags rule. MGM is claiming that these rules are not applicable here.

Following this, MGM filed a motion to disqualify or recuse Khan due to her “personal involvement in the subject matter under investigation”. MGM also revealed that it is currently a defendant in 15 consumer class actions. Khan is named here as a potential civil plaintiff and also a possible witness.

The FTC rejected both motions from MGM on 1 April 2024. MGM claims that deprives it of certain rights under the Fifth Amendment.

“It is fundamentally contrary to the Fifth Amendment’s guarantees of due process and equal protection for the FTC to subject MGM to an investigation premised on regulatory provisions that are inapplicable on their face,” the suit reads.

MGM is arguing that because it is not a financial institution, it should not be subject to this type of investigation. The operator noted that the FTC has not tried to enforce the Safeguards rule or the Red Flags rule on a casino resort operator like MGM previously.