.png)
Caesars Entertainment Breach 2023: The $15M Ransom That Taught Us Nothing New
Breach Summary
Caesars Entertainment paid a $15 million ransom to Scattered Spider in September 2023 — quietly, discreetly, and without the operational disruption that characterized the simultaneous MGM breach. The Caesars payment is significant not primarily as a ransomware event but as a data point in the economics of extortion: paying the ransom is sometimes the rational financial decision, does not prevent data exposure, and does not prevent the attacker from claiming success and applying the same technique to the next target.
The Caesars breach also provides the clearest documented example of the Scattered Spider identity attack methodology in action against an organization that chose to pay rather than resist — offering a useful comparison point against MGM, which did not pay and suffered operational disruption, to evaluate the actual consequences of each response strategy.
What Happened
What Happened
Scattered Spider social-engineered access to Caesars' IT environment through an IT outsourcing vendor, using the same identity verification manipulation technique deployed against MGM. With Okta access established, they moved laterally through Caesars' network and located the loyalty database — which contains personal and behavioral information for tens of millions of Caesars Rewards members. They exfiltrated data from the loyalty database and subsequently contacted Caesars with an extortion demand. Caesars paid approximately $15 million — reportedly half the original demand. Caesars disclosed the breach in an SEC 8-K filing on September 7, 2023, approximately two weeks after the initial compromise. The disclosure confirmed that the loyalty database had been accessed and that Caesars could not guarantee the attackers had deleted the stolen data following payment — a candid acknowledgment of the ransom payment's limitations as a remediation strategy. The breach occurred during the same period as the more publicly visible MGM breach, which began the following week. The contrast between Caesars' quiet payment and MGM's operational disruption and public refusal to pay provided a real-time case study in ransom payment decision-making.
Attack Vector Detail
The Attack Vector: The Same Playbook as MGM
Scattered Spider used an identical initial access methodology against Caesars as against MGM: social engineering of an IT contractor or help desk representative, manipulation of identity verification procedures, and MFA reset to obtain authenticated access to Caesars' Okta environment. The variation — targeting an IT outsourcing vendor rather than Caesars' direct help desk — illustrates that the attack surface for social engineering extends through the supply chain. Any contractor, managed service provider, or vendor with the ability to reset credentials or modify authentication settings is a potential social engineering target.
From the Okta compromise, Scattered Spider moved laterally through Caesars' environment and exfiltrated data from the loyalty database — which contains detailed personal and behavioral information about Caesars rewards members. The loyalty database is particularly valuable for social engineering purposes: it contains name, address, phone, email, and historical behavior patterns for tens of millions of individuals who are identifiable as high-value targets based on their gambling history.
Breach Pattern Timeline
Early September 2023
Scattered Spider operatives target Caesars Entertainment IT outsourced support vendor via vishing — same playbook used against MGM days later.
September 7, 2023
Attackers gain access to Caesars network via the compromised IT vendor's credentials. Conduct reconnaissance and identify the company's loyalty program database (Caesars Rewards).
September 7-10, 2023
Attackers exfiltrate the Caesars Rewards loyalty program database — names, dates of birth, driver's license numbers, and Social Security numbers for 'a significant number' of loyalty program members.
September 14, 2023
Caesars 8-K SEC filing discloses the cyberattack. Confirms attackers' demand and Caesars' decision to pay approximately $15 million ransom — half the original $30M demand. Pays despite no operational systems offline.
September 14, 2023
Caesars 8-K filing discloses payment was made to recover the stolen data and prevent its release. Caesars is among the first publicly traded U.S. companies to file an 8-K specifically describing a ransomware payment.
September-November 2023
Caesars notifies affected loyalty program members. Class action lawsuits filed. Caesars and MGM widely compared: same threat actor, same week, opposite response strategies, divergent outcomes.
December 2023
Caesars-Scattered Spider becomes one of the first major ransomware case studies under the new SEC Cybersecurity Disclosure Rules effective December 2023. Caesars' 8-K within four business days of materiality determination is held up as a compliance example.
2024
FBI arrests Tyler Buchanan and additional Scattered Spider members. U.S. federal charges against five Scattered Spider operatives in November 2024.
2024-2026
Class action consolidation in District of Nevada continues. Caesars vs MGM 'pay vs no-pay' analysis becomes standard reference in ransomware response curriculum and PE diligence frameworks for hospitality and gaming targets.
Total impact: Caesars Rewards loyalty database exposed (millions of members including SSNs and driver's license numbers), $15M ransom paid, foundational precedent for SEC 8-K ransomware disclosure under new cybersecurity rules and the pay vs no-pay strategic divergence with MGM.
Executive Lessons
Caesars established the parallel to MGM: the same Scattered Spider vishing methodology, executed against a different target's help desk in the same month, produced a $15 million ransom payment versus MGM's refusal to pay. The divergent outcomes — Caesars paid and restored quickly, MGM refused and suffered $100M in losses — illustrate that the ransom payment decision is a legitimate strategic question with no universally correct answer, dependent on operational recovery capability, data sensitivity, and legal risk assessment.
Related Reading
Private Equity Implications
Private Equity Implications
The Caesars breach demonstrates that the social engineering methodology documented in the MGM breach is not unique to MGM — it is a repeatable, systematized attack that Scattered Spider applied to multiple targets in the same period. PE portfolio companies in hospitality, entertainment, retail, and any sector with loyalty databases or consumer-facing operations should evaluate their help desk security procedures and IT vendor contractor access controls against this specific threat model. The Caesars case also illustrates the ransom payment decision framework: paying may reduce operational disruption but does not guarantee data protection, creates precedent for repeated targeting, and generates investigative attention from regulators and law enforcement.
How Cloudskope Can Help
Cloudskope's Social Engineering Assessment evaluates the help desk security procedures of both your internal IT team and your IT vendor contractors — specifically testing whether vendor contractors with administrative access to identity systems have verification procedures robust enough to resist the Scattered Spider methodology.