In September 2023, MGM Resorts International—one of the largest hospitality and entertainment companies in the world—was hit by a cyberattack that disrupted operations across its hotels and casinos. But this wasn’t a typical breach involving malware or brute-force hacking. It was a social engineering attack, executed with precision and speed, exploiting human trust rather than technical vulnerabilities.
The Attack: A 10-Minute Phone Call That Opened the Gates
The attack was orchestrated by Scattered Spider, a sophisticated hacker group known for targeting large enterprises, in collaboration with the ALPHV (BlackCat) ransomware gang.
Step-by-Step Breakdown:
- Reconnaissance via LinkedIn: The attackers identified a real MGM employee working in IT support by browsing LinkedIn profiles.
- Impersonation and Vishing: They called MGM’s help desk, impersonating the employee, and requested a password reset or login assistance.
- Credential Access: Within 10 minutes, the attackers gained access to MGM’s Okta identity management system and Azure cloud environment.
Privilege Escalation and Ransomware Deployment:
Using admin-level access, they:
- Monitored internal activity.
- Captured credentials.
- Deployed ransomware across over 100 ESXi hypervisors.
Impact: A Multi-Million Dollar Disruption
The consequences were immediate and severe:
Operational Disruption
- Slot machines and ATMs went offline.
- Hotel room keys stopped working.
- Online booking systems and websites were disabled.
Financial Losses
- Estimated losses of $8.4 million per day.
- Total damages exceeded $100 million.
Data Exposure
- Potential compromise of customer, employee, and vendor data.
Legal and Reputational Fallout
- Class-action lawsuits.
- Loss of customer trust.
- Regulatory scrutiny.
Lessons for IT Teams and Helpdesk Engineers
This attack underscores the importance of human-centric cybersecurity. Here are key takeaways for organizations:
Strengthen Help Desk Protocols
- Implement multi-factor identity verification for all support requests.
- Use callback procedures or internal messaging to confirm identity.
Employee Awareness Training
- Regularly train staff to recognize impersonation tactics.
- Encourage skepticism and verification, especially under pressure.
Limit Privilege Access
- Apply the principle of least privilege to reduce the blast radius of compromised accounts.
Monitor and Audit Identity Systems
- Use behavioral analytics to detect unusual access patterns.
- Regularly audit identity and access management platforms like Okta and Azure services.
Incident Response Readiness
- Maintain a tested and documented incident response plan.
- Ensure rapid containment and recovery procedures are in place.
Final Thoughts: People Are the First Line of Defense
The MGM Resorts breach is a stark reminder that cybersecurity isn’t just about firewalls and encryption—it’s about people. Attackers are increasingly bypassing technical defenses by targeting human behavior.
Dual Layer cybersecurity services team advocates and put a huge onus on security-first culture where awareness, verification, and vigilance are part of everyday operations. We can help in strengthening your cybersecurity infrastructure.