The company also incurred less than $10-million in costs fighting the attack, with most related to technology consulting services and legal fees, according to a filing on Thursday. Cybersecurity insurance should cover most of the costs, MGM said, although the full impact has yet to be determined.

MGM, the largest casino operator on the Las Vegas Strip, said the damage is contained at this point, though the hackers obtained personal information about customers who visited the resorts prior to March 2019. That personal information includes Social Security and passport numbers, MGM said.

The company doesn’t believe the perpetrators obtained customer passwords or bank account information, nor is it aware of any identify theft or fraud as a result of the hack.

“We responded swiftly, shut down our systems to mitigate risk to customer information, and began a thorough investigation of the attack,” CEO Bill Hornbuckle said in a letter to customers.

The hackers obtained access to the company’s computer systems by tricking IT service desk staff, Bloomberg News has reported. Caesars Entertainment Inc., another large casino operator, was attacked by the same group and paid them to go away.

The assault crippled casino and hotel operations at MGM nationwide. Guests had to check in to the hotels by writing their information on clipboards. Slot machine patrons were paid out by hand, rather than through paper vouchers. Some guests were unable to use credit cards or charge anything to their rooms. The hack also took out the company’s websites, which meant guests couldn’t reserve rooms online.

MGM said occupancy at its hotels was 88% in September, compared with 93% the prior year. The company forecast a return to that level in October and November, when a big Formula One race comes to town.

Read more: Casino Hackers Use Low-Tech Tricks to Exploit Corporate Targets