Skip to content
All posts

The MGM Resorts Cyberattack: A Cautionary Tale of Data Vulnerability

In a digital age where data security is paramount, MGM Resorts, a renowned casino chain, found itself at the center of a cybersecurity storm on September 11, 2023. This lead to a temporary shutdown of many of its systems, including hotel room digital keys and slot machines. Even its websites experienced outages, leaving guests dealing with long lines and manual processes. The company provided limited information, only acknowledging a "cybersecurity issue." The incident lasted around ten days before MGM Resorts announced that its operations were returning to normal. However, some "intermittent issues" persisted.


Several weeks later, on October 5, a more unsettling revelation emerged: hackers had accessed the personal information of "some customers" dating back to March 2019. This included names, contact information, gender, dates of birth, and even sensitive details like driver's licenses, passports, and Social Security numbers. The exact number of affected individuals remained undisclosed.


Unmasking the Cyber Culprits

The cyberattack on MGM Resorts exposed the vulnerabilities in even the most prominent organizations, demonstrating that the right attack vector can compromise seemingly secure systems. In this case, it was a human element—vishing, a form of social engineering where attackers manipulate individuals into performing actions, often over the phone.

The group believed to be behind the attack is known as Octo Tempest -i.e. Scattered Spider, UNC3944 and 0ktapus- their attack involved impersonating an MGM employee, likely discovered through LinkedIn, and contacting the company's IT help desk to obtain credentials. Octo Tempest employs extensive efforts in social engineering campaigns to infiltrate organizations worldwide, aiming to extort money from them. Given their wide array of methods and strategies, we consider this threat actor to be one of the most perilous criminal groups focused on financial wrongdoing. It is important to mention that ALPHV/BlackCat, a ransomware-as-a-service operation, played a role in the Las Vegas attack.


Surprisingly, MGM Resorts was not the sole target of such an attack. Around the same time, Caesars Entertainment also experienced a breach, resulting in the theft of customer loyalty program data. Although the methods were similar to those reportedly used by Octo Tempest, the group denied any involvement in the Caesars breach.


The Power of Vishing in Cybersecurity

This incident underlines the efficacy of vishing as a cyber-threat that organizations often overlook in their security measures. Vishing, derived from "voice" and "phishing," targets human vulnerability as the weakest link in cybersecurity. Over 90% of cyberattacks begin with phishing, making it one of the most common infiltration methods. The inclusion of phone calls in targeted phishing attacks has been found to be three times more effective than email-only approaches.


This form of social engineering relies on an attacker's knowledge of a system, company, or employee to execute convincing impersonation. Access to public information, such as LinkedIn profiles, can provide a wealth of data, making the attacker's job much simpler. Organizations with inadequate verification processes to confirm the caller's identity become particularly susceptible to vishing.


Guarding Against the Unseen Threat

While companies like MGM Resorts may offer identity protection and credit monitoring in response to a breach, individuals should consider further measures to safeguard their data. Cyberattacks serve as a stark reminder of the ever-present threat to data security, affecting even the most prominent organizations.

In Conclusion

In a world where data is the lifeblood of our digital existence, the MGM Resorts cyberattack serves as a stark reminder that no fortress is entirely impenetrable. As we delve into the heart of cyber warfare, we unearth essential lessons that extend beyond this cautionary tale. It becomes evident that cybersecurity basics are not just for the experts but also for everyone concerned about the safety of their digital domain. Protecting your organization, whether it is a colossal casino chain or a growing startup, hinges on understanding the fundamentals.

Our course, Cyber Security Basics, paves the way to this understanding, unveiling the principles of defending against a plethora of cyber threats, from nefarious computer viruses to devastating ransomware attacks. It arms you with the knowledge necessary to secure your digital fortresses and preserve your valuable data.

In just 5 hours of self-paced learning, you will embark on a transformative journey that requires no prior experience, only a willingness to explore and learn. Throughout this course, you will gain profound insights into the essential practices that allow you to plan, assess, and implement robust cybersecurity strategies.

Ready to empower yourself and your company with the tools and knowledge needed to guard your digital realm? Contact Andrea Lopes, our Director of Education & Training, at for more information. Bring your data to life.