SandBoxed

Tracing the MGM Breach from Initial Access to Ransomware

Imagine being seconds away from winning a thousand dollars at one of the biggest casinos in Las Vegas when, suddenly, everything goes silent. The gaming systems stop working, and a piercing silence fills the space. The excitement shifts to confusion and unease, as guests begin to voice their complaints. This was the situation at MGM Resort in September 2023.

It was announced that a cyberattack had affected the hotels and casinos, leading to downtime for gaming systems, hotel reservations, Wi-Fi, and room key cards. Investigations by cybersecurity researchers indicated that the attack was linked to cybercriminal groups associated with Scattered Spider and ALPHV/BlackCat.

The attack was carried out using social engineering techniques; employees’ backgrounds were researched using social media platforms such as LinkedIn, and they were then impersonated through vishing (voice phishing) to gather login credentials from the hotel’s IT help desk. Credentials to users’ Okta accounts were reportedly compromised, and access to internal systems — including customer data — was unknowingly granted. Furthermore, through lateral movement, the attackers gained elevated privileges and were able to disrupt hotel and casino systems, with widespread outages becoming the first visible sign of the breach.

Thereafter, customer data such as PII, including names, contact information, driver’s license numbers, and in some cases Social Security numbers, was accessed and exfiltrated. ALPHV later claimed to have stolen approximately 6TB of data and attempted to extort MGM. Facing pressure from customers and internal stakeholders, MGM chose not to pay the ransom, a decision that contributed to prolonged system outages and significant financial losses. Millions of customer records were affected, and several lawsuits were filed against the company. This resulted in substantial financial and reputational damage that proved difficult to recover from.

It was later alleged in lawsuits that customer records were not adequately protected and that gaps existed in MGM’s security practices. While Okta had issued general warnings across the industry regarding social-engineering attacks, the incident highlighted shortcomings in identity security and access controls at MGM. In response, MGM took steps to support affected customers and strengthen its security posture by implementing network segmentation, stronger encryption practices, enhanced intrusion detection and prevention systems, and improved authorization processes.

It is essential to be aware of evolving scamming techniques and to develop strategies to respond to breaches as efficiently as possible. Ignoring security practices can only lead to further harm.

Downtime, Defections, and the Price of Digital Failure

“This wasn’t a malware problem — it was an identity problem”, cybersecurity analysts echoed.

The MGM Resort breach came from a help desk phone call, rather than technical exploits. Illustrating the institution’s vulnerability to ransomware attacks through gaps in identity verification protocols, employee digital training, and zero-trust implications. This case study quickly generated mass-cybersecurity equipment in the entire hospitality industry, due to its colossal costs.

The attack caused everything to become manual overnight, implying digital room keys malfunctioning, casino management systems defaulting, and most importantly– hotel check-in systems going down. As servers went offline, hotel guests were required to wait long, seemingly ceaseless queues which were posted online with video recordings, causing serious damage to MGM’s reputation in the hospitality industry– an industry where culminating incredible experiences for guests is key to survival. Moreover, footage of broken casinos circulated on the internet, further damaging brand prestige.

Financially, MGM lost high-margin casino revenue during peak days, when guest volume and gaming activity were at their highest. Furthermore, guests began abandoning the property after having waited in long queues with minimal progress and no satisfactory information about when they would finally be able to check-into their rooms. Analysts estimate $100M+ in lost revenue and recoverycosts.

Rival hospitality groups accelerated investment in redundant systems and incident response planning, ensuring operations could continue even if core IT infrastructure was compromised. An upgrade for competitors, as MGM was left to clean up the mess.