MGM says FTC can't possibly probe its ransomware downfall – watchdog chief Lina Khan was a guest at the time

MGM Resorts wants the FTC to halt a probe into last year's ransomware infection at the mega casino chain – because the watchdog's boss Lina Khan was a guest at one of its hotels during the cyberattack.

The biz on Monday sued [PDF] the US regulator and its chair, noting the computer network intrusion in September 2023 "cost MGM dearly." That legal complaint, filed in a Washington DC federal district court, demands among other things an end to the regulator's investigation into the malware infection unless Khan is recused from the probe, and a declaration that the watchdog acted unconstitutionally.

MGM earlier said it expected losses totaling at least $100 million from the attack. It presumably would rather the FTC not add to that pain with fines or some other punishment stemming from scrutiny of the corporation's IT practices.

"MGM's misfortune that day was compounded by the presence of a powerful public figure at its Las Vegas hotel during the attack," the lawsuit claimed, meaning Khan, who was said to be at the Sin City resort during the infection.

The criminal gang Scattered Spider claimed to be behind both the MGM digital break-in as well as a similar intrusion at Caesars Entertainment hotels and resorts. The miscreants, we're told, bragged that all it took to break into MGM's networks was a 10-minute call tricking some sap on the IT help desk. 

The hotel chain shut down some of its key IT systems after detecting the intruders. Because of this, an MGM employee apparently asked FTC boss Lina Khan to write her credit card information on paper upon check in at its Vegas hotel. Khan then, it is said, asked the desk employee how MGM was managing data security in light of the breach, and the worker said he didn't know.

• A tale of 2 casino ransomware attacks: One paid out, one did not
• MGM Resorts attackers hit personal data jackpot, but house lost $100M
• Cyberattack hits Omni Hotels systems, taking out bookings, payments, door locks
• SIM swap crooks solicit T-Mobile US, Verizon staff via text to do their dirty work

Shortly after Khan's stay, the FTC initiated a "wide-reaching" investigation into MGM, and has since asked the resort owner to produce "more than 100 categories of information," the lawsuit claimed. Some of these requests are "seemingly derived directly from Chair Khan's personal experience in transacting business with MGM during the attack," it added.

Additionally, the publicity that the MGM hack garnered was "enhanced" by media reports about Khan and her aide being hotel guests, and led to a slew of private lawsuits against the business, according to MGM's attorneys.  "Specifically, it is now a defendant in fifteen consumer class actions."

After being notified about the FTC's investigation into the matter, MGM requested that Khan recuse herself because of her personal involvement in the case. The FTC denied this request.

"Chair Khan's personal involvement in the facts under investigation create an appearance of a conflict of interest, and upon information and belief, an actual conflict of interest," according to the lawsuit.

Neither the FTC nor MGM immediately responded to The Register's request for comment. We will update this story if and when we hear back. ®