MGM Resorts has confirmed what many feared, saying that hackers stole customer data as part of the breach that crippled the company.

The company made the revelation in a regulatory filing with the SEC:

Based on the ongoing investigation, the Company believes that the unauthorized third-party activity is contained at this time. The Company has determined, however, that the criminal actors obtained, for some of the Company’s customers that transacted with the Company prior to March 2019, personal information (including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers). For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. The types of impacted information varied by individual. At this time, the Company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors. In addition, the Company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data. The Company also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud.

MGM Resorts has set aside resources to help customers who may have been impacted:

The Company has established a dedicated help line to address questions about this incident, which can be reached at 800-621-9437 toll-free Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays). Please reference engagement number B105892 when calling. The Company also has set up a webpage www.mgmresorts.com/importantinformation with additional information. In the coming weeks, the Company will provide notification by email to individuals impacted by this issue as required by law and will offer those individuals free identity protection and credit monitoring services.