The MGM Cyberattack Explained: How One Phone Call Crashed Las Vegas
In September 2023, MGM Resorts—the company behind iconic Las Vegas hotels and casinos—was brought to its knees by a cyberattack that began with just one phone call. This video breaks down how hackers used social engineering to breach security, disrupt hotel operations, steal data, and cost MGM over $100 million. Learn what happened, who was behind it, and what lessons we can all take away to stay safer online.
Additional Resources
Text/Transcript from Video
Las Vegas—home to bright lights, big wins, and the unexpected. But in September 2023, MGM Resorts—one of the biggest names on the Strip—became the victim of a massive cyberattack that shut down casinos, stole personal data, and cost the company over 100 million dollars.
It all began with a phone call. The attackers were part of a cybercriminal group known as Scattered Spider, an English-speaking crew affiliated with the ransomware gang ALPHV, also known as BlackCat.
In just a few minutes, they used social engineering—a form of manipulation where someone tricks a person into giving up confidential access. They posed as an employee and contacted MGM’s help desk.
Shockingly, that one phone call was enough. The help desk gave the attackers credentials, which allowed them to access MGM’s Okta identity platform and Azure cloud environment.
From there, things escalated quickly. The attackers deployed ransomware, encrypting over 100 ESXi servers—a critical part of MGM’s digital infrastructure. That one breach brought down almost everything: the hotel booking system, slot machines, ATMs, digital room keys, and even the company website.
The damage was not just digital—it was deeply public.
Guests were unable to check into their rooms.
Digital keys stopped working.
ATMs and casino floor slot machines went offline.
Employees were forced to use pen and paper for reservations and billing.
This chaos lasted for days, with some systems taking a week or more to restore.
MGM later revealed that the incident cost them approximately $100 million, impacting both revenue and operational costs in the third quarter of 2023.
And that was just the operational fallout.
The attackers also exfiltrated—or stole—sensitive customer data.
For guests who stayed at MGM properties before March 2019, personal information was compromised.
This included full names, contact details, birthdates, genders, driver’s license numbers, and even some Social Security Numbers.
While MGM says no passwords or payment information were taken, the loss of personal identifiers poses long-term risks like identity theft and phishing scams.
Faced with this crisis, MGM Resorts made a bold decision:
They refused to pay the ransom.
Instead, they initiated a total shutdown of affected systems to contain the spread. This decision likely prevented further data theft or ongoing extortion—but it also extended the length of the outage.
MGM’s recovery efforts were slow but calculated. By refusing to pay, they signaled a firm stance against ransomware groups, even if it came at a high cost.
So, who exactly was behind the attack?
The culprits call themselves Scattered Spider—a relatively new but extremely effective group.
Unlike many cyber gangs operating from overseas, Scattered Spider is believed to be based in the U.S. or U.K., with members as young as their late teens.
They specialize in social engineering and have previously impersonated IT staff, used SIM-swapping attacks, and targeted identity platforms like Okta to gain access to corporate systems.
Their affiliation with ALPHV, one of the world’s most dangerous ransomware syndicates, makes them even more dangerous.
Interestingly, MGM was not the only casino giant targeted.
Around the same time, Caesars Entertainment suffered a similar breach.
But Caesars took a different route: they reportedly paid a $15 million ransom, and their systems were restored quickly.
MGM’s refusal, on the other hand, prolonged the crisis but could have helped them avoid paying criminals or encouraging future attacks.
These contrasting approaches raise important questions about best practices in ransomware response.
The MGM attack revealed more than just a lapse in digital security—it exposed human vulnerability.
Despite having advanced cybersecurity tools, MGM was defeated by a simple help-desk scam.
This shows the importance of training frontline staff, especially those who handle password resets or account access.
Organizations must harden their processes around identity access, enforce multi-factor authentication, and adopt a zero-trust architecture, where no user or device is trusted by default.
There are powerful lessons here—not just for casinos, but for every business.
One: Train your people.
Two: Protect your identity platforms.
Three: Do not underestimate social engineering.
Four: Prepare a crisis response plan before you need it.
And five: Make security a company-wide culture—not just a checklist.
The cost of prevention may seem high—but it is nothing compared to the cost of a successful breach.
MGM’s story is a powerful reminder:
In the digital world, the biggest risks often come from the simplest mistakes.
As cyber threats grow more advanced, it is the human factor that remains the weakest—and most important—link in the chain.
Stay aware. Stay secure. And do not let your organization be the next headline.
If you found this breakdown helpful, make sure to like, subscribe, and share with your team.
Leave a Reply