MGM Resort Cyberattack: How Hackers Shattered Operations with $100M in Damages

A cyberattack in September 2023 brought one of the world's largest casino and hospitality operators, MGM Resorts, to its knees. For nearly a week, operations at iconic Las Vegas properties like the Bellagio and Mandalay Bay ground to a halt. Guests were locked out of rooms, slot machines displayed error messages, and even basic systems like ATMs and online bookings were offline.

The breach didn’t just disrupt services—it exposed personal information of countless customers and left MGM facing an estimated $100 million in damages. From canceled reservations to long lines at check-in, the chaos was palpable. This incident highlights the growing threat of cyberattacks on major corporations and the costly aftermath they leave behind.

Key Takeaways

The September 2023 cyberattack on MGM Resorts paralyzed operations across over 30 properties, including iconic Las Vegas locations, and caused widespread disruptions to guests and systems.

Hackers from the Scattered Spider group utilized social engineering and ransomware to breach MGM's systems, showcasing vulnerabilities in help desk protocols and cybersecurity measures.

Sensitive customer data, including personal contact details and government ID information, was exposed, primarily affecting individuals who used MGM services before March 2019.

MGM faced approximately $100 million in damages, highlighting the costly financial and reputational consequences of large-scale cyberattacks.

The attack underscores the importance of robust incident response plans, stricter authentication methods, and employee awareness training to prevent similar breaches in the future.

Overview Of The MGM Resort Cyberattack

The MGM Resorts cyberattack occurred in September 2023, disrupting operations at over 30 properties worldwide. Hackers from the ALPHV subgroup Scattered Spider gained unauthorized access on or around September 9. This led to the shutdown of critical systems, including digital room keys, ATMs, slot machines, and online booking platforms. Guests faced significant inconveniences, such as long check-in lines and handwritten receipts for transactions.

An estimated $100 million in damages impacted the company’s third-quarter results, along with additional one-time costs below $10 million. The private data of customers, including contact information, gender, dates of birth, and driver’s license numbers for individuals who used MGM services before March 2019, was compromised. While MGM's incident response involved shutting down systems to contain the damage, the operational disruptions persisted for several days.

The attack's public nature highlighted vulnerabilities in MGM's security infrastructure. Hackers exploited these weaknesses to infiltrate the company’s systems. Despite efforts to restore functionality, lingering cyber challenges affected some regional properties and briefly impacted Las Vegas bookings in October. The mgm attack timeline underscored the escalating threat of cyberattacks against global enterprises, revealing significant economic and reputational consequences.

How The Attack Unfolded

The MGM attack timeline began on or around September 9, 2023, when ALPHV-linked hackers exploited MGM Resorts' systems. Initial infiltration stemmed from a combination of social engineering and advanced ransomware techniques, leading to widespread operational disruptions.

Social Engineering Tactics Used

Hackers employed social engineering to gain unauthorized access to MGM’s systems. Members of the ALPHV-affiliated subgroup, Scattered Spider, contacted MGM staff, exploiting human vulnerabilities to extract critical credentials. Using these compromised accounts, attackers bypassed security systems. These methods are consistent with the APT group’s established tactics and emphasize the importance of employee awareness to counter social engineering threats.

Deployment Of Ransomware

Following the initial breach, attackers escalated tactics by encrypting systems using ransomware. More than 100 ESXi hypervisors within MGM’s infrastructure were targeted, according to ALPHV’s statement. Ransomware deployment occurred after MGM's internal teams attempted to mitigate disruptions without engaging the attackers. This decision differed from similar incidents like Caesars Entertainment, where ransom payments reportedly prevented broader data leaks. MGM’s refusal to pay led to a prolonged shutdown of systems, impacting critical operations.

Impact On MGM Resorts

The 2023 cyberattack on MGM Resorts disrupted essential operations, compromised significant customer data, and resulted in substantial financial losses.

Disruption Of Operations

Digital systems at more than 30 MGM locations, including key properties like Bellagio and Mandalay Bay, were shut down following the breach. This shutdown affected hotel room digital keys, casino ATMs, and slot machines, leaving guests waiting in hours-long lines for physical room keys and handwritten receipts. The company’s decision to shut down systems as part of its incident response strategy aimed to protect data but extended disruptions for several days. Online booking platforms and websites for MGM properties also went offline, causing cancellations and impeding reservations during a critical period.

Data Breach And Compromise

The breach exposed sensitive personal information for numerous customers, primarily those who used MGM services before March 2019. Compromised data included contact details, birth dates, gender, and driver’s license numbers. Though MGM's incident response focused on containment, the hack exploited weak points through social engineering and ransomware, underscoring vulnerabilities in the data storage and access protocols. The attackers' actions revealed the potential scale of damage when advanced techniques are combined with human-targeted exploits.

Financial Losses

MGM reported approximately $100 million in damages resulting from the attack, alongside one-time costs below $10 million during the third quarter of 2023. These financial impacts stemmed from operational disruptions, decreased customer bookings, and potential legal liabilities. The stock price dropped by 4.1% over two trading days following the breach, reflecting immediate market reactions. Though hospitality and gaming revenues recovered by 2024, the attack temporarily eroded investor confidence and highlighted costly vulnerabilities in cybersecurity defenses.

Hackers Behind The Attack

The cyberattack on MGM Resorts underscored the sophistication and tactics of modern threat actors. The event revealed how social engineering and partnerships within hacker groups can bypass cybersecurity measures, even at large organizations.

Groups Claiming Responsibility

Scattered Spider, also known as Oktapus or Octo Tempest, has been widely associated with the attack. This English-speaking group is known for advanced social engineering and SIM-swapping techniques. Microsoft suggested a collaboration between Scattered Spider and ALPHV during this attack. A subset known as "Star Fraud" was reportedly involved in executing the casino breach, showcasing coordination among cybercriminal networks. Despite recent arrests related to the MGM incident, these groups maintained a reputation for targeting enterprises with accessible human vulnerabilities.

Read: What is a brute force attack and are you at risk?

Their Methods And Motives

The hackers used a combination of social engineering and ransomware to infiltrate MGM's systems. Scattered Spider initiated the breach through a convincing phone call to the help desk, exploiting publicly available information. Within ten minutes, they accessed credentials critical to bypassing security. Once inside, they escalated their attack by deploying ransomware, targeting over 100 ESXi hypervisors and compromising MGM's infrastructure.

Their motives leaned towards financial gains, as ransomware typically involves demands for payment. While Caesars Entertainment reportedly paid a ransom in a similar attack, MGM chose not to, resulting in prolonged disruptions. This approach not only inflicted operational losses but also highlighted MGM's strategic incident response shortcomings during the recovery process.

Implications And Lessons Learned

The MGM cyberattack of September 2023 exposed critical weaknesses in corporate cybersecurity, especially around social engineering and incident response. It emphasizes the urgent need for improved defenses and more resilient recovery protocols.

Vulnerabilities In Help Desk Procedures

Help desk protocols became a focal point for the attackers, as social engineering played a key role in gaining unauthorized access. Members of the Scattered Spider group exploited a lack of robust authentication processes by posing as legitimate employees and leveraging publicly available information. This allowed them to extract critical credentials within minutes, bypassing key access controls.

Over 40% of the help desk's tasks involve password resets, often vulnerable to exploitation. Attackers exploited these weaknesses to request resets, including Multifactor Authentication (MFA) factors, effectively neutralizing more secure authentication systems. The MGM attack timeline highlights how quickly such access was obtained and escalated into full system compromise.

Strengthening Cybersecurity Measures

Organizations must implement stricter cybersecurity measures to prevent similar incidents. Comprehensive employee training on identifying and resisting social engineering tactics is essential, especially for help desk teams who handle sensitive data. Enhanced MFA systems, resistant to resets over insecure channels, and implementation of the Principle of Least Privilege, are critical to strengthening defenses.

Investing in zero-trust architecture and frequent security audits can mitigate risks. The MGM incident response revealed gaps in rapid recovery planning, particularly when systems were shut down to contain damage. Companies should develop and regularly test incident response plans, ensuring operational continuity in the face of cyber threats.

Conclusion

The MGM Resorts cyberattack serves as a stark reminder of the evolving threats businesses face in today’s digital landscape. It exposed critical vulnerabilities in cybersecurity practices, particularly around social engineering and incident response.

We must prioritize robust security measures, employee training, and proactive planning to mitigate future risks. As the hospitality industry recovers, this incident highlights the importance of staying vigilant against increasingly sophisticated cyber threats.

Need a secure, straightforward, and collaborative password manager? Sign up for a free trial of TeamPassword!

Frequently Asked Questions

What was the MGM cyberattack in 2023?

In September 2023, MGM Resorts, a major casino and hospitality operator, suffered a cyberattack by the hacking group Scattered Spider. The attack disrupted over 30 properties, affecting digital keys, ATMs, slot machines, and online bookings while exposing customer data and causing significant operational damage.

Who was behind the MGM cyberattack?

The attack was executed by Scattered Spider, a subgroup of ALPHV, known for social engineering and ransomware tactics. They used a phone call to the MGM help desk to gain access to critical credentials within minutes.

Did MGM Resorts pay the ransom demanded by the hackers?

No, MGM Resorts chose not to pay the ransom demanded by the hackers. Instead, they shut down internal systems to mitigate damage, which led to prolonged operational disruptions.

What systems were affected by the MGM cyberattack?

Systems impacted included digital room keys, ATMs, slot machines, payment systems, elevators, and online booking platforms. Guests faced long check-in lines and relied on handwritten receipts for transactions.

Was any personal customer data leaked during the attack?

Yes, sensitive information, such as contact details, gender, dates of birth, and driver’s license numbers of customers who used MGM services before March 2019, was exposed during the breach.

How much damage did the cyberattack cost MGM Resorts?

The cyberattack caused an estimated $100 million in damages, alongside additional one-time costs below $10 million. It also contributed to a 4.1% drop in MGM’s stock price.

How did the hackers gain access to MGM’s systems?

The attackers exploited weak authentication processes via social engineering. By contacting MGM staff and leveraging publicly available information, they obtained critical credentials to bypass security systems.

How long did MGM Resorts’ systems remain affected?

The operational disruptions lasted several days as MGM worked to contain and recover from the attack without paying the ransom.

What lessons can companies learn from the MGM cyberattack?

The MGM breach highlights the importance of robust cybersecurity practices, such as improving incident response plans, training employees against social engineering, implementing multi-factor authentication, and adopting zero-trust architecture.

Did Caesars Entertainment face a similar cyberattack?

Yes, Caesars Entertainment experienced a similar cyberattack in 2023. Unlike MGM, Caesars reportedly paid the ransom, avoiding prolonged operational disruption and broader data leaks.