MGM Resorts International confirmed that hackers stole an unspecified amount of customers' personal information in a September cyberattack that cost the hotel and casino giant an estimated $100 million. The hotel and casino giant first disclosed on September 11 that it had been the target of a massive cyberattack.

The cyber attack was carried out by hackers from the ALPHV subgroup Scattered Spider. A few days later, the cyber attack caused widespread paralysis of MGM hotels, shutting down ATMs and slot machines, and taking the company's website and online reservation system offline.

In a regulatory filing on Thursday, the company acknowledged that the hackers responsible for the attack obtained the personal information of some customers who transacted with MGM Resorts before March 2019. This information includes name, contact information, gender, date of birth and driver's license number. The company said hackers also obtained Social Security numbers and passport information for a small number of customers.

It's unclear how many people were affected by the data breach, but MGM Resorts attracts tens of millions of visitors each year. MGM spokesman Andrew Chapman (AndrewChapman) and Brian Ahern (Brian Ahern) repeatedly declined to answer questions about the incident.

In its filing, MGM added that it does not believe customer passwords or payment details were captured in the attack.

MGM expects the attack to reduce its third-quarter profit by about $100 million, according to regulatory filings. MGM said it also spent approximately $10 million in one-time expenses related to the cyberattack, primarily for technical consulting services, legal fees and other third-party consultants.

According to the Wall Street Journal, MGM Resorts International did not pay the ransom demanded by the attackers. The amount of the ransom is unclear, and representatives of the Scattered Spider Group did not comment. MGM rival Caesars Entertainment, which has also been hit by ransomware attacks recently, is said to have paid out about half of the $30 million demanded by hackers to prevent the leak of stolen data. Media reports claimed that the ScatteredSpider group was also responsible for the Caesar cyberattack, but the group claimed at the time that it had "nothing to do" with the incident.

MGM said it expected its cyber insurance to be "adequate" to cover the financial impact on its business, but noted that "the full cost and associated impact of this issue has yet to be determined." The company added that there was "no evidence" that the data obtained by criminals was used for identity theft or account fraud.

The MGM hotel listings on the ALPHV ransomware gang's dark web leak website have not been updated since September 14, and the hackers do not appear to have released any data stolen from the hotel giant.

Although MGM claims that the cyber attack has been "fully contained" and operations at the company's resorts have "returned to normal," according to customer complaints on social media, some MGM services are still not functioning as of press time, including the MGM mobile app.

MGM said: "The company continues to focus on restoring the remaining affected guest-facing systems, and the company expects these systems to return to normal in the coming days."