WASHINGTON — Among the many policy riders House Republicans placed in their fiscal 2025 Financial Services spending bill is one that would curtail a Federal Trade Commission probe of a cyberattack last year at MGM Resorts.Though the bill’s language doesn’t name the company directly, the item could stem from an incident last year involving FTC Chair Lina Khan.The House had planned to vote this week on the Financial Services bill, which would also cut the FTC’s budget by 27% from its requested amount, though that plan was postponed as of Monday.The rider would quash a civil investigative demand, a type of subpoena, issued by the FTC on Jan. 25 that asks MGM Resorts International, one of the world’s largest casino companies, for details of its data security practices after the company suffered a ransomware attack in September 2023.The attack took down online reservation systems and disabled digital room keys, slot machines and websites, according to an examination by the cybersecurity experts at the University of Hawaii.MGM said in news release that the attack resulted in the breach of personal information including names; contact information, such as phone numbers, email addresses, and postal addresses; gender; date of birth; and driver’s license numbers.“For a limited number of customers, Social Security number and/or passport number was also affected,” MGM said. “The types of impacted information varied by individual.”As the cyberattack shut down computer networks and reservation systems, leaving dozens of guests waiting to check in at MGM resort hotel in Las Vegas, one of the guests happened to be Khan, according to a Bloomberg News report of the incident. Unable to access computers, the hotel’s staff asked Khan to fill out her credit card information on a piece of paper, Bloomberg reported.Khan asked the hotel clerk how the company was handling data security and the clerk “shrugged and said he didn’t know,” Bloomberg reported, citing an aide traveling with Khan who witnessed the transaction.In a petition to quash the information sought by the FTC, filed by MGM in February, the company said that the agency was seeking “the production of more than one hundred different categories of information, [spanning] multiple years with no relevance to the attack, and, perhaps most problematic of all, represents an unprecedented attempt by Staff to invoke the Safe Guards Rule and the Red Flags Rule, which do not apply to MGM’s operations.” The petition was referencing two FTC ...
