If you have ever been to a Las Vegas casino, then you know that they are literally money-making machines as people bet money on a variety of games on a continuous basis. Modern casinos exemplify digitally transformed businesses, with customers engaging through multiple digital channels, from gaming systems to mobile apps and loyalty programs. The Las Vegas MGM cyber attack clearly showed how a digital outage can quickly result in substantial consequences to a business in regard to its income, customer satisfaction and public image.
On September 11, 2023, MGM resorts put out a statement on X that a “cyber security incident” was impacting some of its systems. The incident would lead to a $100 million dollar loss for the third quarter of 2023. The attack was put together by two separate organizations known as Scattered Spider and ALPHV. Faced with the significant disruption to their operations and the potential for further damage, the company ultimately made the difficult decision to pay millions in ransom to the attackers. They are now contending with a class action suit filed by those whose information was compromised.
Initial Discovery and Response
It doesn’t take long to determine you are in the throngs of a ransomware attack. It is believed that the attackers first breached the network on September 8. The following day, the MGM security teams detected unusual activity and traffic on the company’s systems. The attack quickly escalated over the next couple of days as operations became publicly disrupted.
MGM Resorts did take swift action which included shutting down certain systems to protect their data and infrastructure, which added further disruptions. Recognizing the severity of the situation, MGM quickly brought in third party agencies and leading cybersecurity experts to assist in containing and mitigating the attack. They also engaged law enforcement, launching an immediate investigation into the breach.
How the MGM Cyber Attack Unfolded
Social Engineering Tactics Used by Hackers
To gain access to the MGM network, Scattered Spider launched a vishing social engineering attack that went something like this:
- Scattered Spider members researched MGM employees on LinkedIn, gathering information about their roles and identities.
- Using the gathered information, the attackers chose an MGM employee to impersonate.
- The hackers called MGM’s IT help desk, posing as the employee and successfully convinced the help desk into providing them with login credentials.
- Using the obtained credentials, Scattered Spider gained administrator privileges to MGM’s Okta and Azure tenant environments.
- The attackers used their high-level access to move laterally within MGM’s systems.
It was at that time that Scattered Spider brought in ALPHV to deploy their ransomware-as-a-service (RaaS) software. They encrypted approximately 100 ESXi hypervisors within MGM’s network. These servers hosted thousands of virtual machines that supported critical hospitality systems such as gaming machines, online reservation systems, digital room keys and websites. ALPHV also claims to have exfiltrated 6 TB of customer information during this time, upon which they initiated negotiations with MGM to prevent the public release of the stolen data. ALPHV also threatened to disclose the exfiltrated information if an agreement could not be reached.
Impact on MGM Systems and Operations
The effects of the cyberattack on MGM Resorts were immediately apparent with widespread disruptions across their organization:
- Gambling operations were disrupted as slot machines went offline with displayed error messages
- Hotel guests complained that their digital room keys stopped working.
- Online reservation and booking systems were shut down
- Mobile services were interrupted as the MGM app became completely inaccessible.
- Email systems were affected
- Restaurant reservations were disrupted
Timeline of Events and Duration of the Attack
The total duration of the attack was approximately 10 days. The timetable of the attack was as follows:
- September 7, 2023: Scattered Spider launches a social engineering attack against Caesar’s Entertainment’s IT support vendor.
- September 10, 2023: MGM Resorts begins experiencing system outages.
- September 11, 2023: MGM publicly discloses the incident and launched an investigation after contacting law enforcement
- September 12-13, 2023: Customers report various issues impacting their experience.
- September 14, 2023: Scattered Spider claims to have stolen 6 terabytes of data from MGM Resorts and MGM begins restoring their systems.
- September 20, 2023: MGM confirms full restoration of service to all its systems.
The Financial and Reputational Damage
Estimated Financial Losses Due to the MGM Cyber Attack
The costs of a ransomware attack can prove quite excessive. Involved costs include expenses for mitigation, lost productivity, potential lawsuits, business interruption, and the potential ransom payment itself. Unlike Caesars Entertainment, who experienced a ransomware attack about the same time and chose to pay the ransom, MGM said that they never considered it. Their decision to refrain from paying was aligned with recommendations from cybersecurity experts, government agencies, and law enforcement, who advised against such actions due to the risks involved. MGM did lose an estimated $84 million in lost revenue. They also spent $10 million in one-time expenses for technology consulting, legal fees, and third-party advisors. The company also faced costs associated with providing complimentary services and restoring loyalty program points to affected customers.
Reputational Impact on MGM and Customer Trust
MGM Resorts company faced a barrage of negative social media attention as users vented their frustrations. Whether this will lead to reduced customer loyalty and trust remains to be seen. MGM’s recovery was aided by the timely arrival of the high-profile Formula One race shortly after the incident, which helped to shift focus and potentially mitigate some reputational damage.
Data Breach and Information Compromised
Types of Customer Information Exposed
The data exfiltrated during the attack was comprised of information about MGM customers, primarily those who had transacted with the company prior to March 2019. This included personal information such as names, contact information, birth dates and driver license numbers. A smaller subset of customers may have had their social security, passport or military identification numbers exposed. Personal data related to hotel reservations and loyalty program details was also compromised. While not confirmed, employee data may have been exposed in the attack as well.
Steps MGM Took to Protect Customers
Having a well-defined incident response plan is crucial for effectively managing and mitigating the impact of a cyberattack. Below are some of the measures that MGM took immediately following the attack:
- Created a specific website or portal with information about the breach
- Issued public statements and updates through various channels to ensure transparency
- Provided free credit monitoring services
- Offered identity theft protection for affected customers and employees
- Implemented a dedicated call center to address customer concerns and questions
Legal Consequences and Customer Lawsuits
Class-Action Lawsuits Against MGM
Multiple lawsuits have been filed against MGM such as this one. The allegations of these suits contend that as a leading global casino and hotel operator, MGM failed to implement adequate cybersecurity measures to protect consumer data. They allege that the Plaintiff stored sensitive customer information without proper encryption and that Okta had had previously alerted the company to potential security risks, suggesting MGM did not heed these warnings. The lawsuits seek various forms of compensation, including:
- Monetary damages
- Reimbursement for potential identity theft protection
- Coverage of expenses related to protecting personal information
- Punitive damages for alleged negligence
Regulatory Scrutiny and Compliance Issues
MGM properly disclosed the cyberattack and its potential financial impact in SEC filings, as required for public companies. The FTC launched an investigation into MGM’s data security practices following the attack, however, MGM filed suit against the FTC, claiming the inquiry oversteps the agency’s authority. The company also alleges a conflict of interest, as FTC Chairwoman Lina Khan was personally affected by the cyberattack while staying at an MGM property. Multiple state regulators are investigating the incident. Several state regulatory bodies have launched investigations into the MGM cyberattack incident. While specific agencies have not been named, the Nevada Gaming Control Board is likely involved in the inquiry.
Lessons Learned and Future Cybersecurity Measures
Improvements in MGM’s Cybersecurity Strategy
To strengthen their cybersecurity posture, the company conducted a thorough assessment of their existing cybersecurity systems and processes. They then implemented additional security measures that included:
- Improved access controls and authentication processes
- Enhanced network segmentation
- Upgraded intrusion detection and prevention systems
- Strengthened data encryption practices
In addition, MGM also announced plans to invest up to $40 million in IT improvements in the following year.
The Importance of Incident Response Plans
MGM’s swift actions clearly indicate that they had a well-structured incident response plan in place. Their prompt response included:
- Engaging cybersecurity experts and law enforcement agencies
- Mobilizing IT professionals to contain the breach
- Attempting to prevent further spread of the ransomware
- Timely and transparent communication with affected customers
MGM quickly recognized the severity of the attack and made the critical decision to shut down critical digital systems to isolate the attack. While this initially caused operational disruption, it prevented further data exfiltration and limited the potential spread of the ransomware. This proactive approach demonstrated the importance of having a predefined protocol for rapid system isolation during a cybersecurity incident
Broader Implications for the Hospitality Industry
The MGM Resorts cyberattack exposed the industry’s reliance on interconnected digital systems for operations. As the sector increasingly integrates digital technologies to manage bookings, loyalty programs, and payment systems, it becomes a prime target for cybercriminals. The attack showed just how quickly multiple services can be disrupted. To address the heightened risk, the industry must implement comprehensive security measures, continuously test their defenses, and make necessary adjustments.
How Netwrix Can Help
Netwrix has a complete suite of security solutions that can protect your organizations from attacks like the MGM Grand cyber attack. Here are some examples:
- Netwrix Privileged Access Management can stop attackers moving laterally in your environment by eliminating standing privilege. Rather than static accounts that are vulnerable when not in use, Netwrix allows you to create just-in-time temporary accounts with just enough access to perform the task at hand. Once the task is completed, the account is deleted. It can also help you monitor all admin activities in real time across multiple IT systems.
- Netrix Auditor can detect security gaps in data and infrastructure, such as excessive direct permissions or an abundance of inactive users and help take corrective measures to minimize your attack surface. By consolidating all anomalous activity alerts triggered by an individual into a comprehensive view, you can quickly identify potentially malicious insiders or compromised accounts.
- Netwrix Data Classification Software can find all the sensitive content strung about your organization so that you can prioritize security for it. It can automatically quarantine critical or sensitive data stored in unsecure locations or accessible by large open groups.
Netwrix uses user activity monitoring to flag unauthorized or excessive access to privileged accounts, detecting when a user accesses systems or data they don’t typically interact with. File integrity monitoring identifies unauthorized changes to key files or configurations. Netwrix also offers compliance reporting tools to help MGM stay aligned with industry standards and regulations.
FAQs
What happened with the MGM cyber attack”
The Las Vegas MGM Cyberattack in September 2023 gave us a glimpse into how a single attack can extensively disrupt operations for a digital business. The attack was initiated by a group called Scattered Spider that used social engineering to impersonate a targeted employee and convince the IT help desk to provide login credentials, which they did. This allowed the attackers to infiltrate MGM’s network systems, at which point they handed operations over to a ransomware group called ALPHV which then exfiltrated data and encrypted critical systems. The attack ended up costing MGM an estimated around $100 million in lost revenue, legal fees, and other expenses.
What happened in the Las Vegas cyber attack 2023?
Two cybercriminal organizations coordinated an attack on two major Las Vegas casinos in September 2023, including the MGM Grand. For the MGM, the attack disrupted operations, causing slot machines to go offline, digital room keys to stop working, and online reservation systems to shut down. Email systems were affected, and many mobile services, including the MGM app, became inaccessible.
Who is behind the MGM hack?
The MGM hack is attributed to two main groups. The first was Scattered Spider, a hacking organization that specializes in social engineering attacks. They are known for their fluency in English, which aids in their convincing vishing attempts. The second organization was ALPHV, also known as BlackCat. They are a ransomware-as-a-service operation based in Russia and it was they who provided the ransomware that was responsible for the primary attack. It is believed that these two organizations have some type of affiliation with one another.
Is the MGM cyber attack over?
While the attack that took place over a ten-day period in September 2023 is over, the aftereffects of the attack still linger. MGM faces multiple class action lawsuits related to the breach and several regulatory agencies are conducting separate investigations into the attack. MGM has also pledged $40 million in additional safeguards and improvements to their IT infrastructure.
Did MGM hackers get caught?
Yes, a number of arrests have been made concerning the attack on MGM. In July 2024, a 17-year-old from the United Kingdom was arrested for involvement in the attack. U.S. prosecutors unveiled criminal charges against five alleged members of Scattered Spider months later in November 2024. Scattered Spider is one of the criminal organizations involved in the attack.
Did MGM pay the ransom?
MGM Resorts chose not to pay the ransom demanded by the hackers. This decision was aligned with recommendations from cybersecurity experts, government agencies, and law enforcement, who advised against such actions due to the risks involved. This approach differed from Caesars Entertainment, which reportedly paid approximately $15 million to the same hacker group. Of course, it cannot be known for sure whether MGM paid or not.
What was stolen from MGM Resorts?
In the case of the cyberattack on the MGM Las Vegas casino, what was stolen was information, primarily the personal information of its customers. The compromised data included names, contact information, and ID numbers such as driver’s license, military ID and passports. Personal data related to hotel reservations and loyalty program details was also compromised. It is also possible that some employee data may have been exposed in the attack as well.
How much money did the MGM lose from the cyber attack?
According to an SEC filing, MGM Resorts incurred a $100 million loss in Q3 2023 due to the cyberattack. This included $84 million in lost revenue from disrupted operations and $10 million in one-time expenses for technology consulting, legal fees, and third-party advisors. The company may face additional future losses from potential litigation awards and compliance fines.
Did MGM pay the ransomware attack?
It is always a major decision whether to pay the ransom to accelerate recovery or not. In the case of the MGM Resorts Cyber Attack, company leadership decided to take the advice of cybersecurity experts, government agencies, and law enforcement, who advised against paying it due to the risks involved.
