Casino cyberattacks represent some of the most sophisticated and costly breaches in hospitality history. The MGM Resorts hack of 2023 exposed critical vulnerabilities in enterprise security, costing over $100 million and disrupting operations across multiple properties.
The September 2023 cyberattack on MGM Resorts International sent shockwaves through the hospitality and cybersecurity industries. What began as a simple phone call to an IT help desk evolved into one of the most devastating ransomware attacks in casino history, causing over $100 million in losses and exposing fundamental weaknesses in enterprise security architecture. This incident, along with the simultaneous breach at Caesars Entertainment, revealed how even the most sophisticated organizations remain vulnerable to social engineering tactics and highlighted emerging trends in cybercrime that every business must understand.
The MGM hack was not an isolated incident but rather a symptom of broader security challenges facing modern enterprises. As threat actors become increasingly sophisticated in their methods, organizations must reassess their security postures, particularly around identity management, access controls, and employee training. The lessons from this breach extend far beyond the casino industry, offering critical insights for any organization managing sensitive customer data and complex digital infrastructure.
In early September 2023, MGM Resorts International experienced a catastrophic cyberattack that paralyzed operations across its entire portfolio of properties. The breach affected flagship Las Vegas casinos including the Bellagio, MGM Grand, Mandalay Bay, Luxor, Excalibur, and the Cosmopolitan, as well as properties in New York, Ohio, and Michigan. Guests arriving at these world-renowned resorts encountered scenes more reminiscent of the 1990s than a modern hospitality operation.
Slot machines went dark across casino floors. Digital key cards stopped functioning, locking guests out of their rooms. ATMs became inoperative, stranding visitors without cash. Payment systems crashed, forcing staff to process transactions manually with pen and paper. Hotel employees resorted to carrying cash in fanny packs to pay out gambling winnings. The reservation system collapsed, preventing new bookings and check-ins. Even escalators in some properties stopped working as the attack spread through interconnected building management systems.
The operational chaos lasted nearly a week, with some systems remaining offline for extended periods. MGM responded by waiving cancellation fees for affected guests and attempting to maintain operations through manual processes. However, the damage extended far beyond immediate operational disruptions. The attack exposed sensitive guest data, triggered regulatory investigations, and ultimately led to a class-action settlement program addressing both the 2023 breach and a previous 2019 data breach that had exposed information for 10.6 million guests.
The technical sophistication of the MGM breach was paradoxically built on remarkably simple social engineering tactics. Cybersecurity researchers attributed the attack to Scattered Spider, a subgroup operating within the ALPHV ransomware gang, also known as BlackCat. This threat actor group has become notorious for its effectiveness in compromising large enterprises through human manipulation rather than purely technical exploits.
The breach began with a vishing attack, a form of phishing conducted over the phone. Using publicly available information from LinkedIn, the attackers identified an MGM employee and gathered enough details to impersonate them convincingly. They then called MGM's IT help desk, posing as the legitimate employee and requesting a password reset. Within approximately 10 minutes, the help desk personnel, following what appeared to be standard verification procedures, provided the attackers with access credentials.
This initial foothold gave the threat actors legitimate access to MGM's internal network. From there, they employed privilege escalation techniques to gain higher-level access rights, allowing them to move laterally across the organization's systems. The attackers methodically mapped the network architecture, identified critical systems, and positioned themselves to cause maximum disruption.
Beyond simple vishing, the attackers reportedly employed multi-factor authentication fatigue tactics. This technique involves repeatedly triggering MFA prompts for a legitimate user until they approve the authentication request out of frustration or confusion. By combining social engineering with technical persistence, Scattered Spider bypassed security controls that many organizations consider robust defenses.
Once positioned within the network, the attackers deployed ransomware that encrypted critical systems across MGM's infrastructure. Simultaneously, they exfiltrated sensitive data, creating dual leverage for extortion. This double-extortion model has become standard practice among sophisticated ransomware groups, allowing them to threaten both operational disruption and data exposure.
The timing of the MGM breach was not coincidental. Caesars Entertainment suffered a remarkably similar attack during the same period, suggesting coordinated targeting of the casino industry by organized cybercrime groups. While the full details of the Caesars breach remain less publicized, the company disclosed in SEC filings that hackers gained access to customer data including driver's license information and social security numbers of loyalty program members.
The response from Caesars differed significantly from MGM's approach. Cybersecurity experts widely interpreted Caesars' statement that it had taken steps to ensure stolen data was deleted by the unauthorized actor as confirmation that the company paid the ransom. This decision, while controversial, reflected a calculation that the cost of ransom payment was lower than the potential damages from data exposure and operational disruption.
The simultaneous targeting of MGM and Caesars demonstrated that threat actors were specifically focusing on the casino industry, likely recognizing both the high-value data these organizations hold and their operational sensitivity to downtime. Casinos cannot afford extended outages without massive revenue losses, creating pressure to resolve breaches quickly, often through ransom payment.
Modern casino cyberattacks follow a sophisticated multi-stage process. Threat actors begin with reconnaissance, identifying targets through public information sources like LinkedIn. They then employ social engineering techniques, particularly vishing, to manipulate help desk personnel into providing access credentials.
Once inside the network, attackers escalate privileges, move laterally across systems, and deploy ransomware to encrypt critical infrastructure. The interconnected nature of casino operations means a single breach point can cascade across slot machines, hotel systems, payment processors, and reservation platforms simultaneously.
MGM Resorts disclosed in SEC filings that the cyberattack resulted in approximately $100 million in losses. This figure encompasses direct costs including incident response, forensic investigation, system restoration, and legal expenses, as well as indirect costs from lost revenue during the operational disruption. However, the true financial impact extends far beyond this initial estimate.
The company faced ongoing costs related to enhanced security measures, system upgrades, and compliance with regulatory requirements. The class-action settlement program launched in 2025 added additional financial burden, providing compensation to affected guests from both the 2023 cyberattack and the 2019 data breach. Legal fees, public relations efforts to restore brand reputation, and potential regulatory fines further compounded the financial damage.
For context, the week-long operational disruption at MGM's Las Vegas properties alone represented millions in lost gaming revenue, hotel bookings, restaurant sales, and entertainment ticket sales. The reputational damage affected future bookings as potential guests questioned the security and reliability of MGM properties. Insurance coverage offset some costs, but cyber insurance policies typically include significant deductibles and coverage limitations.
The MGM breach highlighted a critical vulnerability that exists in virtually every large organization: the help desk. IT support personnel face an impossible balancing act between providing responsive customer service and maintaining rigorous security protocols. When an employee calls claiming to be locked out of their account, help desk workers must verify identity while also resolving the issue quickly to minimize productivity losses.
The attackers exploited this tension masterfully. By gathering sufficient information about their target employee through open-source intelligence, they could answer basic verification questions that help desk procedures typically require. The pressure on IT support staff to resolve issues quickly, combined with inadequate verification procedures, created the opening the attackers needed.
Blaming individual help desk employees for these breaches misses the systemic issues at play. Organizations often fail to provide adequate training on social engineering tactics, implement insufficient identity verification procedures, and create performance metrics that prioritize speed over security. The solution requires organizational changes, not just individual accountability.
The MGM and Caesars breaches exemplify a broader trend in cybersecurity: the increasing effectiveness of social engineering attacks. As technical security controls improve, threat actors are focusing on the human element, which remains the weakest link in most security architectures. Vishing, phishing, and other manipulation tactics require less technical sophistication than exploiting software vulnerabilities, yet they often prove more effective.
Groups like ALPHV operate ransomware-as-a-service platforms, providing tools and infrastructure to affiliate groups like Scattered Spider. This business model has industrialized cybercrime, allowing less technically skilled actors to conduct sophisticated attacks. The professionalization of ransomware operations has increased both the frequency and severity of attacks across all industries.
Modern enterprises rely on interconnected systems for efficiency, but this connectivity creates cascading failure risks. The MGM breach demonstrated how compromising one system can rapidly spread across an entire organization's infrastructure, affecting everything from core business operations to building management systems.
The casino hacks offer critical lessons for organizations across all sectors. First, identity verification procedures must be strengthened, particularly for remote access and password resets. Implementing callback procedures, using out-of-band verification methods, and requiring multiple forms of authentication can significantly reduce social engineering success rates.
Second, organizations must invest in comprehensive security awareness training that goes beyond annual compliance exercises. Employees at all levels, especially those in customer-facing roles like help desks, need regular, realistic training on recognizing and responding to social engineering attempts.
Third, network segmentation and zero-trust architecture principles can limit the damage from successful breaches. If attackers cannot move laterally across systems after gaining initial access, the scope of compromise remains contained. Fourth, incident response planning must include realistic scenarios and regular testing. The chaos at MGM properties revealed inadequate preparation for sustained system outages.
Finally, organizations must recognize that security is not solely a technology problem but an organizational culture issue. Leadership commitment, adequate resource allocation, and integration of security considerations into business processes are essential for meaningful risk reduction.
The MGM breach triggered multiple legal and regulatory consequences that continue to unfold. The class-action lawsuit settlement addresses claims from guests whose personal information was exposed in both the 2023 cyberattack and the 2019 data breach. This consolidated settlement reflects the long-term legal liability that organizations face from security failures.
MGM's attempt to sue the FTC to block an investigation into the incident demonstrates the regulatory scrutiny that major breaches attract. Federal and state regulators increasingly hold organizations accountable for inadequate security practices, particularly when consumer data is compromised. The evolving regulatory landscape, including state privacy laws and potential federal legislation, creates additional compliance obligations for organizations handling sensitive information.
The hacking of MGM Resorts and Caesars Entertainment represents more than isolated security failures at two casino companies. These incidents illuminate fundamental challenges facing all organizations in an era of sophisticated, persistent cyber threats. The effectiveness of simple social engineering tactics against complex security infrastructures reveals that technology alone cannot solve security problems.
The $100 million cost to MGM, the operational chaos across multiple properties, and the ongoing legal consequences demonstrate the severe business impact of cyberattacks. Yet the most important lesson may be that these breaches were preventable. Stronger identity verification, better employee training, improved incident response capabilities, and organizational commitment to security culture could have significantly reduced the risk.
As threat actors continue to evolve their tactics and target high-value industries, organizations must move beyond compliance-focused security approaches toward comprehensive risk management strategies. The casino hacks of 2023 will be remembered not just for their immediate impact but for the wake-up call they provided to enterprises across all sectors about the real-world consequences of inadequate cybersecurity.
Hackers used a vishing attack, calling MGM's IT help desk while impersonating an employee they had researched on LinkedIn. They convinced help desk staff to reset the password, gaining legitimate access credentials within approximately 10 minutes.
Scattered Spider is a cybercrime subgroup operating within the ALPHV ransomware gang. They specialize in social engineering attacks and were identified as the threat actors behind both the MGM and Caesars Entertainment breaches in 2023.
MGM disclosed approximately $100 million in losses from the cyberattack in SEC filings. This includes direct incident response costs, lost revenue during the week-long disruption, and ongoing expenses, though the total long-term financial impact likely exceeds this figure.
While Caesars never explicitly confirmed ransom payment, cybersecurity experts widely interpreted the company's statement about taking steps to ensure stolen data was deleted as confirmation that they paid the attackers.
The attack affected slot machines, hotel key card systems, ATMs, payment processing, reservation systems, employee email, and even building management systems like escalators across MGM properties in Las Vegas and other locations.
Yes, MGM suffered a significant data breach in 2019 that exposed personal information for approximately 10.6 million guests. The 2025 class-action settlement addresses both the 2019 and 2023 incidents.
Vishing is voice phishing conducted over the phone. It is effective because it exploits human psychology and organizational pressures on help desk staff to provide quick service, often bypassing security protocols through convincing impersonation.
Key preventive measures include enhanced identity verification procedures, callback protocols for sensitive requests, comprehensive employee security training, multi-factor authentication, network segmentation, and zero-trust architecture principles.
Leading organizations rely on advanced security solutions to protect against sophisticated cyber threats
Comprehensive guide to protecting large-scale operations from ransomware attacks using layered security approaches and incident response planning.
Expert analysis of social engineering tactics used by threat actors and practical methods for training employees to recognize and resist manipulation attempts.
MGM Resorts initiated a settlement program addressing both the 2019 data breach and 2023 cyberattack, providing compensation to affected guests.
Las Vegas Metropolitan Police arrested a juvenile suspect allegedly involved with Scattered Spider group responsible for MGM and Caesars breaches.
Alleged members of ALPHV published detailed statement taking credit for the MGM attack and criticizing the company's security practices.