Iron Summary
Your quick look at the story before we dig deeper.
In September 2023, MGM Resorts International, operator of 29 hotels and casinos in Las Vegas, was hit with a cyberattack that exposed just how dangerous social engineering can be.
Attackers from the groups Scattered Spider and ALPHV tricked help desk employees into resetting accounts, which gave them access to MGM’s Okta and Microsoft Azure systems. The result? Outages across slot machines, hotel room keys, and digital services, plus customer frustration and financial losses topping $100 million.
The MGM case shows how attackers don’t always need advanced malware. Sometimes, a phone call is enough to bypass defenses and compromise entire enterprises. This is the risk of social engineering: it exploits people, not systems, and it’s nearly impossible to defend against without training, monitoring, and strict privilege management.
What happened during the MGM cyberattack?
MGM confirmed its systems went down after attackers gained access through the help desk. Guests experienced days of manual check-ins, inaccessible rooms, non-functional slot machines, and even incorrect charges. Behind the scenes, attackers copied terabytes of data from MGM’s cloud environment.
The financial fallout was staggering: MGM lost an estimated $100 million during the incident.
Who was behind the MGM cyberattack?
The groups known as Scattered Spider (UNC3944) and ALPHV, made up of young hackers from the U.S. and UK, are suspected. Their tactics were simple but effective: impersonate employees, trick IT support into resetting accounts, then escalate privileges to access critical systems.
This form of attack, known as spoofing, isn’t new. But paired with cloud tools like Okta and Azure, it opened doors to nearly every MGM digital asset.
Why did social engineering work here?
Social engineering works because it bypasses traditional cybersecurity measures by targeting the human factor. In MGM’s case, the attackers leveraged the BYOD (Bring Your Own Device) model, where contractors used personal devices for access, creating more weak points.
As cybersecurity instructor Asal Gibson explained, “the BYOD model isn’t the gold standard for security. Yet, numerous companies adopt it for economic reasons rather than issuing secure, dedicated devices.”
Could MGM have prevented this?
Yes, but prevention requires more than firewalls. Experts recommend:
- Zero-trust policies to limit access.
- Least privilege principles for help desks and contractors.
- Multi-factor authentication monitoring that flags abnormal resets.
- Continuous social engineering training so employees can spot manipulative attempts.
Even simple measures, like only allowing one password reset per session or requiring additional verification, could have slowed the attackers.
The Takeaway
The MGM cyberattack wasn’t the result of cutting-edge malware. It was a reminder that people, not just systems, are targets. With lawsuits, consumer trust shaken, and losses climbing past $100 million, MGM’s story illustrates how quickly a single help desk interaction can snowball into a crisis.
Strategic Reflections
- If someone called pretending to be a colleague, would I know how to spot red flags before providing them access?
- How comfortable am I with BYOD policies? Do they make me feel secure, or more exposed?
- How can I make awareness of social engineering tricks part of my everyday approach to cybersecurity?