Overview
Industry: Hospitality, Gaming, and Entertainment
Threat Type: Ransomware, Social Engineering (Vishing)
In September 2023, MGM Resorts — a global leader in hospitality and casino operations — suffered a crippling cybersecurity breach that disrupted digital operations for over a week. Guests encountered everything from broken keycard systems to casino floor outages, with even MGM’s websites going dark.
At the center of the chaos? A phone call.
The attackers allegedly gained access through a method known as vishing (voice phishing), impersonating an employee in a call to MGM’s internal IT help desk. Once in, they deployed ransomware, stole customer data, and brought critical infrastructure to a halt.
Attack Vector: Social Engineering + Ransomware
The breach was reportedly carried out by the Scattered Spider hacking group using ransomware provided by ALPHV/BlackCat. Their technique:
Vishing to impersonate an MGM employee
Gaining help desk credentials
Deploying ransomware internally
Encrypting data and demanding a crypto ransom
The group is known for targeting organizations through social engineering rather than brute-force hacking. In this case, attackers used publicly available employee data from LinkedIn to convincingly pose as insiders.
Consequences
Operations Disrupted: Digital keycards, reservations, and slot machines failed, forcing MGM into “manual mode.”
Guest Data Compromised: Names, contact info, dates of birth, and government ID numbers were accessed.
Reputation & Financial Fallout: MGM estimated over $100 million in losses, excluding long-term brand damage or legal fallout.
Key Takeaways
For Businesses:
Don’t Overlook Voice-Based Threats: Most security training focuses on phishing emails, but vishing is even more effective — especially with AI and deepfake voice tech on the rise.
Strengthen Helpdesk Protocols: Require multi-factor authentication or verification steps for internal support calls.
Adopt Zero Trust: Internal access should be segmented and monitored. No single credential should open the entire network.
Conduct Social Engineering Tests: Include phone-based penetration testing in annual security assessments.
For Individuals:
Be cautious about what you share online — attackers often piece together impersonation targets from LinkedIn, Facebook, or other public platforms.
After any data breach, freeze your credit and monitor financial activity closely.
Hackwell’s Perspective: What We’d Recommend
Attacks like this bypass technical controls by targeting process and people. Here’s how we would harden an organization like MGM against this type of threat:
Helpdesk Access Protocols
Multi-step employee identity verification and call verification systems should be in place for any access change or credential reset.Behavioral Analytics & DLP
User behavior analytics (UBA) and DLP tools detect out-of-pattern access attempts, especially across sensitive infrastructure.Zero-Trust Segmentation
Restrict lateral movement with identity-based segmentation and continuous validation of session behavior.Phishing & Vishing Drills
Beyond email-based phishing training, we run simulated voice and SMS attacks to educate frontline and IT staff.
Hackwell’s Analysis
This case illustrates a hard truth in cybersecurity: technology alone isn’t enough. Human error and manipulation remain the most reliable ways for attackers to bypass even the most sophisticated digital defenses.
Security needs to be human-centric — rooted in culture, training, and layered defenses.
⚠️ Disclaimer
Hackwell was not involved in the MGM Resorts investigation or recovery. This case study is for informational and educational purposes to help organizations understand emerging threat vectors.
Source
This case study is based on reporting from:
Vox, “The chaotic and cinematic MGM casino hack, explained” by Sara Morrison, Oct. 6, 2023.
Read the full article on Vox.com
