The MGM Resorts Cyber Attack: A Closer Look at a High-Stakes Breach

On September 11, 2023, MGM Resorts International made a troubling announcement. The $14 billion gaming giant had fallen victim to a malicious cyber-attack that disrupted key systems, including its website, online reservation platform, and in-casino services like ATMs, slot machines, and credit card machines. The perpetrators behind this attack, a hacking group known as Scattered Spider, demanded a ransom, threatening further assaults if their demands were not met. In this article, we will delve into the details of this cyber-attack, examining who was involved, how it was carried out, and the impact it has had on MGM Resorts.


The Actors: Scattered Spider

Scattered Spider is a relatively new entrant in the ransomware landscape, but their impact has been substantial. Specializing in targeting organizations, predominantly in the United States and Canada, Scattered Spider stands out among the Russian-speaking cyber-criminal gangs that dominate the ransomware industry. Their modus operandi revolves around encrypting or stealing data and then demanding ransoms for its safe return.


The Attack Method

The Scattered Spider gang employed a two-pronged attack strategy to breach MGM Resorts’ defences. First, they engaged in social engineering to identify an MGM employee working in IT support through LinkedIn. Armed with this information, they executed a “phishing” attack on the MGM help desk, successfully obtaining login credentials. Shockingly, the entire process took a mere 10 minutes.

Compounding the issue, on September 1, operators of a Telegram channel named Spider Logs, which serves as a marketplace for cybercriminals to buy and sell login credentials and other compromised data, sold a dataset containing the credentials of a mid-level IT engineer at MGM. The password for this engineer’s company login was shockingly simple: “K@sper99!”


The Impact

Operational Impact: The attack had a wide-ranging operational impact, affecting reservation systems and casino floors across multiple states, including Las Vegas, Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York, and Ohio. All websites under the MGM Resorts domain, including, were taken offline for an extended period. ATMs and credit card machines within MGM properties were also rendered inoperative, while the MGM Rewards app ceased to function.

Financial Impact: The financial repercussions of this attack were significant. MGM Resorts’ stock price plummeted from $44.35 on September 8 to $36.54 on September 22, marking a substantial loss in market value. Early estimates suggest that the cyberattack may have cost the casino operator as much as $80 million.

Reputational Impact: This incident marked the second cybersecurity breach for MGM Resorts, the first occurring in 2019 when personal information of 142 million guests was stolen and subsequently appeared on a dark web cybercrime marketplace. The company’s reputation has taken another hit, raising concerns about its ability to safeguard customer data effectively.

Legal Implications: In response to the attack, MGM Resorts promptly filed the necessary disclosures of cyber incidents with the U.S. Securities and Exchange Commission (SEC), as required by law. Two lawsuits target MGM Resorts International over alleged customer data mishandling. Inadequate breach disclosures left customers uncertain about future risks. Victims suspect their data was sold on the dark web. The lawsuits argue MGM knew cybersecurity risks but failed to protect customer data. They highlight the dark web’s demand for stolen personal information. Both suits demand assurances against future breaches, monetary compensation, and a jury trial, citing negligence, contract breaches, and unjust enrichment.


Role to play: CISO

A ransomware attack is a critical and often disruptive event for any organization. Here are some key lessons that a Chief Information Security Officer (CISO) should take to heart from a ransomware attack:

  • Backup and Recovery: Secure, offline backups are essential. Ensure that backups are regularly updated and tested for reliability and completeness.
  • Security Hygiene Matters: Basic cybersecurity practices, such as keeping systems and software up to date, patch management, and strong password policies, can go a long way in preventing attacks.
  • User Training and Awareness: Invest in employee training and awareness programs to educate staff about phishing threats and social engineering tactics used by attackers.
  • Network Segmentation: Implement proper network segmentation to limit lateral movement for attackers in the event of a breach.
  • Zero Trust Approach: Adopt a zero-trust security model that verifies every user and device attempting to connect to the network, even those already inside.
  • Regular Vulnerability Assessments: Conduct regular vulnerability assessments and penetration testing to identify and remediate weaknesses in your systems.
  • Incident Response Coordination: Collaborate effectively with law enforcement, legal counsel, and cybersecurity experts during an incident.
  • Ransomware Payment Considerations: Weigh the pros and cons of paying the ransom carefully, considering the risks, legality, and ethical implications.
  • Effective Communication: Establish clear communication channels both within the organization and with external stakeholders to maintain transparency during an incident.
  • Documentation and Post-Incident Analysis: Document every step of the incident response process and conduct a thorough post-incident analysis to learn from the attack.
  • Business Continuity Planning: Develop and maintain a robust business continuity plan to minimize disruptions during a ransomware attack.
  • Reputation Management: Work closely with public relations and marketing teams to manage the organization’s reputation and rebuild trust with stakeholders.
  • Long-Term Investment: Cybersecurity is an ongoing process, not a one-time fix. Allocate resources and budget for long-term security investments.
  • Cybersecurity Culture: Foster a culture of cybersecurity awareness throughout the organization, where everyone understands their role in protecting against threats.



The cyber-attack on MGM Resorts by Scattered Spider serves as a stark reminder of the ever-present and evolving threats in the digital age. As organizations increasingly rely on digital systems, cybersecurity remains a paramount concern. The breach not only disrupted operations but also dealt a significant blow to MGM Resorts’ financial stability and reputation. It underscores the pressing need for robust cybersecurity measures, vigilant employee training, and proactive threat mitigation strategies to protect against the ever-adaptive tactics of cybercriminals. CISOs can better prepare their organizations to defend against future threats and respond effectively if another incident occurs. Cybersecurity is an evolving field, and adaptability and continuous improvement are essential to staying ahead of threat actors.

About the Author(s)


  • Prachi Vohra

    Prachi Vohra is a proficient Technical Program Manager at Netskope, leveraging her GCISO certification and extensive experience in the information technology and services industry. With a demonstrated history of success, Prachi excels as both a program and people manager, adept at navigating complex technical landscapes. Her skillset spans DevOps, Project/Program Management, IT Infrastructure, and Data Center services, enabling her to lead with confidence and precision. Prachi is highly proficient in team mentoring and client/stakeholder management, ensuring seamless collaboration and communication throughout projects. Additionally, she holds certifications as a Scrum Master, ITIL, and Prince 2, further enhancing her credentials. Prachi's expertise extends to working with global clients across the US, UK, and Europe, managing cross-functional teams and overseeing end-to-end delivery of projects and large-scale programs with finesse.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *