.png)
MGM Resorts 2023 Breach: A $100M Lesson in Help Desk Security and Vishing-Based Identity Attacks
Breach Summary
The September 2023 ransomware attack on MGM Resorts International is the most financially damaging and strategically instructive cyberattack against a US enterprise in recent history. A single 10-minute phone call to MGM's IT help desk — preceded by a LinkedIn search — triggered a chain of events that cost the company more than $100 million, took slot machines offline for days, locked hotel room keys, and disrupted reservations across 30+ properties. The perpetrators were members of Scattered Spider, a loosely organized group of English-speaking threat actors ranging in age from 19 to 24. They used no zero-day exploits. They deployed no custom malware. They made a phone call.
The MGM breach is important not because it is unique but because it is representative — of the social engineering techniques now being used at scale against mid-market enterprises, of the inadequacy of MFA as a complete identity control, and of the catastrophic financial consequences that follow when social engineering succeeds against an organization without compensating controls.
What Happened
What Happened: The Complete Attack Timeline
Day 1: The LinkedIn Research and the Phone Call
Scattered Spider actors identified an MGM IT administrator on LinkedIn, gathering enough personal information — name, employer, role, likely contact details accessible through breach databases — to construct a convincing impersonation. They called MGM's corporate help desk, impersonated the administrator, claimed they were locked out of their MFA device while traveling, and requested an MFA reset. The help desk complied. The attackers now had authenticated access to MGM's identity infrastructure.
Days 1–4: Lateral Movement and Reconnaissance
With authenticated access to MGM's Okta environment, the attackers conducted reconnaissance of the broader Microsoft 365 and internal network architecture. They identified administrative accounts, mapped the Active Directory structure, located backup infrastructure, and exfiltrated sensitive data. The attacker group also conducted extensive reconnaissance of MGM's on-premises infrastructure, establishing the scope of what could be encrypted for maximum operational disruption.
Day 4: The Ransomware Deployment
On Sunday September 10, 2023, the attackers deployed ALPHV/BlackCat ransomware across MGM's infrastructure. The deployment was timed for a Sunday — when security staffing is at its lowest — and targeted systems that would create maximum operational visibility: hotel management systems, slot machine infrastructure, reservation platforms, and the corporate email environment. MGM's slot machines went dark. Hotel room key systems failed. Guests could not check in digitally. Reservation systems became unavailable. The public-facing operational failure was immediate and unmistakable.
The Response and Recovery
MGM's incident response team, supported by outside counsel and cybersecurity firms, worked to contain and remediate the breach. MGM publicly confirmed it did not pay the ransom. Recovery of full systems took approximately 10 days. MGM disclosed the incident to the SEC under the new 4-day disclosure requirement, marking one of the first major tests of the SEC's cybersecurity disclosure rules.
Attack Vector Detail
The Attack Vector: Social Engineering Against Identity Infrastructure
The MGM attack followed a technique that Scattered Spider had refined across dozens of targets: using publicly available personal information to pass identity verification at corporate help desks, obtaining MFA resets that provide authenticated access to SSO platforms like Okta, and using that SSO access to pivot through connected enterprise applications.
The specific vulnerability exploited was not a software flaw. It was a procedural gap: MGM's help desk identity verification procedure relied on knowledge factors — information that an attacker with access to breach databases and LinkedIn could easily assemble. Date of birth, employee ID, and the last four digits of a Social Security number are not secrets in 2026. They are available in bulk breach databases for the majority of the US adult population.
Once Okta access was established, the attack proceeded through standard enterprise penetration techniques. Okta's SSO integration with other enterprise platforms meant that a compromised Okta administrator account provided access to connected applications. Lateral movement through the MGM network used the elevated permissions of the compromised administrator account to access additional systems, exfiltrate data, and eventually deploy ransomware across the estate.
The ALPHV/BlackCat ransomware group claimed the attack and published details through their data leak site, including claims about the scope of data exfiltrated. MGM's legal response included DMCA notices to the leak site, an unusual defensive measure that drew attention to the legal dimensions of breach extortion.
Breach Pattern Timeline
September 7, 2023
Scattered Spider operatives identify an MGM Resorts employee on LinkedIn. Use that information to call MGM's IT help desk impersonating the employee — a vishing (voice phishing) attack — and request password and MFA reset.
September 7, 2023
MGM IT help desk processes the impersonated request without sufficient identity verification. Reset credentials provided. Attackers gain access to MGM's internal systems.
September 8-10, 2023
Attackers conduct reconnaissance, escalate privileges, and access Okta admin tools. Pivot from Okta to Azure AD. Begin staging ransomware payload.
September 11, 2023
MGM detects suspicious activity. Activates incident response. Decision made to take systems offline rather than pay ransom — based on evaluation of operational vs financial impact.
September 11-22, 2023
MGM Resorts experiences 10-day operational shutdown affecting Las Vegas hotel reservations, slot machines, room key card systems, restaurant POS, ATMs, payroll, and digital signage across MGM Grand, Bellagio, Aria, Mandalay Bay, Excalibur, Luxor, New York-New York, and other properties.
September 12, 2023
ALPHV/BlackCat (the ransomware brand Scattered Spider was operating under as an affiliate) publicly claims responsibility. MGM does not pay the ransom.
October 5, 2023
MGM 8-K SEC filing discloses estimated $100 million impact to Q3 2023 EBITDA from the incident, plus approximately $10 million in one-time costs.
January 2024
MGM discloses customer data exposure: names, contact information, dates of birth, gender, driver's license numbers, and for some customers Social Security numbers and passport numbers were stolen.
June 2024
FBI arrests Tyler Buchanan in Spain — alleged Scattered Spider operative — at U.S. request. November 2024: Five additional Scattered Spider members charged in U.S. federal court.
2024-2025
MGM and Caesars (which paid ransom) become canonical paired case studies in ransomware response strategy. MGM's no-pay decision is widely studied. Hospitality industry implements help-desk identity verification reforms.
Total impact: 10-day operational shutdown of MGM properties, $100M+ EBITDA impact + $10M+ one-time costs, customer PII exposed, foundational precedent for vishing-driven help-desk attacks and ransomware no-pay decision-making.
Executive Lessons
The MGM breach produced five executive-level lessons that have defined enterprise social engineering response ever since. First, Scattered Spider demonstrated that English-speaking attackers using only a telephone can defeat enterprise-grade technical security controls. Second, MGM's refusal to pay the ransom resulted in $100M+ in losses — the operational recovery cost exceeded what would have been the ransom payment. Third, the breach forced MGM to take casino operations offline across multiple properties, demonstrating that identity infrastructure failure cascades to physical business operations. Fourth, the Scattered Spider playbook is not proprietary — any organization whose help desk will reset MFA on a plausible social engineering call is vulnerable. Fifth, the breach was executed in under 10 minutes of social engineering against a single employee.
Related Reading
Private Equity Implications
Private Equity Implications
The MGM breach has direct implications for PE sponsors with hospitality, entertainment, gaming, and consumer-facing portfolio companies — and for any portfolio company that runs corporate help desks with conventional identity verification procedures.
The help desk identity verification gap that Scattered Spider exploited is not specific to MGM. It exists in the majority of mid-market organizations that have not specifically redesigned their verification procedures to exclude knowledge factors available in breach databases. A PE operating partner who calls the IT help desk of any portfolio company and attempts the Scattered Spider social engineering sequence is likely to find the same vulnerability.
Post-close security integration programs that do not include help desk security assessment and remediation are missing the highest-impact initial access vector against the current threat landscape. The MGM breach is not an anomaly — it is a documented, repeatable technique that Scattered Spider applied across MGM, Caesars, Okta, Twilio, and dozens of other organizations in 2022–2023, and that successor groups are actively using in 2026.
How Cloudskope Can Help
Cloudskope's Social Engineering Assessment tests your help desk's actual response to the Scattered Spider social engineering methodology — using vishing simulations that replicate the exact technique used against MGM, Caesars, and Okta. We identify verification procedure gaps and provide remediation roadmaps that make social engineering-based MFA bypass non-viable. For PE sponsors, help desk security assessment is a standard component of our M&A Cyber Due Diligence program.